Android Phone causes googel IP's to show up in the logs
I'm faily new to pfsense but got (nearly) everything running as I need it to.
I'm currently running trough the firewall logs and try to identify issues with my setup.
I'm running pfSense behind a FritzBox which does the dial in. The pfSense box only got one WAN and one LAN adapter. I got the OpenVPN Client tunneling all the LAN traffic to an external VPN Provider. I made sure that no LAN clients can access any WAN destinations.
Now there are 2 continues logs entries I like to get rid of (unblock). Please let me know if I need to supply more infos on this issue.
1. It seems that my Android Phone tries to contact google every few minutes and this seems to be blocked by pfsense.
2. Now the second issue is that my FritzBox does a IGMP broadcast every 2 minutes.
I tried adding some rules to the LAN/WAN Adapter, but this did not help. I guess all I need, is some guidance on "where do I need to set what" in these cases. (Sorry I'm no firewalling pro)
As said let me know which part of my configuration you need to see and I'll post some pictures.
Thanks for taking the time and help me !
what you see in your firewall logs is traffic that was blocked. A very easy way to allow this traffic is to click on the green icon (arrow) in front of the destination address. This will add a "quick rule" to the correct interface. In your case it would add an allow rule on the LAN interface.
Then it could be possible - dependend on your other rules - that you need to move the rule up or down. This is important on pfsense firewall rules:
All rules will be proccessed from top to down. The first rule which matches will be used and no other rule will take action.
If you do not allow any traffic on an interface than all traffic will be blocked. So by default everything is blocked until you allow it.
What's the problem with the IGMP. Do you need this oder does it just spam your logs?
Probably you have enabled to log all traffic which is blocked by default rule. To silent this a little bit you could add a quick rule (block) for the IGMP traffic and disable logging for this rule (by default logging is disabled). Then traffic will reach this rule, will still be blocked - as it would be by the default rule - but nothing will be logged.
Hopefully this will help you!
that helped a lot ! Funny, I've seen that little icon but never clicked on it nor did I hovered the mouse over it DOH.
After looking at my rules and with the help of the quick rule, I realized that I had the "Block private networks" tick set for the WAN Address… pretty stupid huh?
Can you explain me why the connections from my phone is blocked at all ? Ah and let me add that the IP changes. I Have Identified 6 - 10 differents IP's so far. I don't really want to add them all manually. I thought that my 3rd Rule is pointing all request from all LAN clients trough the VPNGW
please note that the last 2 rules have been added automatically when I added a port forwarding. I Don't think I really need them there.
PortForwarding rules in general only make sense on the WAN interface because this is the only interface where you do NAT in general. So if you created PortForwarding rules which match on the WAN interface then you should normally never get these rules automatically on your LAN interface.
The second rule "Block traffic to WAN" makes no sense to me because the third rule "Default allow LAN to any rule" has a specific Gateway which probably does not point to your WAN subnet..
But in general you are right - the third rule should route all traffic, which was initiated on your LAN subnet with LAN subnet IP-Address through VPNGW.
I am not really sure about that but does the VPNGW allow you to pass unNATted IP addresses? It could be possible that you need to NAT traffic on your VPNGW. This could be done with "Manual outbound NAT rules" on the firewall –> NAT menu.
You could enable loggin g on your third rule and check the firewall logs which traffic passes this rule.
Further do you use any other packages, squid proxy ?
I'm not using any packages so far.
The "Block traffic to WAN" was needed, cause when the VPN tunnel died, for whatever reason, all traffic was routed trough the WAN interface.
I did the portforwarding rule cause I wanted to make sure my Mediaplayer was reachable trough the Tunnel. I just did some test and realized that it was only working from inside the LAN. So I have removed this rule again. I already setup the "Manual outbound NAT rule", without it, no traffic was routed trough the tunnel.
Maybe I've set this up incorrectly… what I've tried was to make sure no traffic to external addresses should be routed trough the WAN, instead it should use the VPN Tunnel.
How would you set this up ? Maybe this is more a question for the OpenVPN Forum then ?
as I said I am no expert when using OpenVPN ins this scenarion so it would make sense to post it on the OpenVPN forum.
Thanks Nachtfalke, will do.