Firewall all kinds of weird and spontaneous blocks on LAN
-
G'afternoon ;D
Having freshly upgraded to 2.1, my beloved Pfsense is driving me crazy. There are all kinds of spontaneous blocks occurring in LAN. I have created some screenshots. Pfsense is at 192.168.2.1, I am at 192.168.2.12.
I have also added a screenshot of my LAN rules. As you may see, most of these rules are attempts to get rid of all the broadcast crap that clutters up my logs. Aside from that, there are some rules to prevent my Synology anywhere but to my usenet provider, and to prevent my HTPC from going anywhere I don't want it to go. I thought nothing unusual here.
The rule at the top, to allow 2.12 access to 2.1 is one I just added because I got tired of my Pfsense appearing to hang when I was in the GUI, which forced me to ssh into it to restart the web configurator (option 11).
I also have Snort on WAN and LAN, but the Snort logs don't show anything at all for LAN, so I'm not sure here. Finally, both this 2.12 being blocked to 2.1 as well as the crap in the logs seems to be dependent on the weather ( ;D); so it does it for 4 hours, and so it doesn't do it for two hours.
Would anybody happen to know what it going on here?
Thank you very much for your help ;D
-
Why did you use 192.168.2.0?
Just curious.
I'm not sure why the webgui would hang but the anti-lockout rule at the top would cover that so it shouldn't matter if you have that line allowing your workstation address to the pfsense box.
-
Why did you use 192.168.2.0?
Just curious.
I'm not sure why the webgui would hang but the anti-lockout rule at the top would cover that so it shouldn't matter if you have that line allowing your workstation address to the pfsense box.
Thank you for your reply ;D
I have no clue ???
I thought this was something with how you take care of a subnet, but to be honest: I don't know the difference (if any) between 192.168.2.0 and 192.168.2.1 (I'm not the brightest in these matters :P).
-
Most of those rule are gibberish.. 192.168.2.1 to lan net for example.. 127.0.0.1 to the lan net
Lan net to 127.0.0.1?? How would pfsense see traffic coming into its lan port from the network to 127.0.0.1 – 127.0.0.1 is loopback that every machine has, packets should never get put on the wire.
How about you change your rules back to DEFAULT which is any any from the lan net.. and then post up these log entries to we can take a look see to what might be causing them..
Dest=255.255.255.255 dPort=67
is a dhcpdiscover packet - so why would that be blocked in firewall There are hidden rules that should allow that traffic anyway.
-
@Hollander:
I have also added a screenshot of my LAN rules. As you may see, most of these rules are attempts to get rid of all the broadcast crap that clutters up my logs. Aside from that, there are some rules to prevent my Synology anywhere but to my usenet provider, and to prevent my HTPC from going anywhere I don't want it to go. I thought nothing unusual here.
Once you get rid of all those rules, you can stop the logging of that "crap" by going to System Log Settings and disabling the options in "Log Firewall Default Blocks"
-
@Hollander:
I have also added a screenshot of my LAN rules. As you may see, most of these rules are attempts to get rid of all the broadcast crap that clutters up my logs. Aside from that, there are some rules to prevent my Synology anywhere but to my usenet provider, and to prevent my HTPC from going anywhere I don't want it to go. I thought nothing unusual here.
Once you get rid of all those rules, you can stop the logging of that "crap" by going to System Log Settings and disabling the options in "Log Firewall Default Blocks"
Thank you for your reply ;D
(And sorry if 'crap' offended you :-[).
It was my understanding that if I disable logging the default rule, that I then actually won't see any blocks at all except for custom WAN-rules (which I hardly have, except for 1 pfBlocker rule that I can't seem to get to work). And if that would be the case, I would be wondering if everything was working correctly since I don't see anything being blocked on WAN.
So, I think from a trainee-home-sysadmin who gets food from WIFE (IF wife happy THEN trainee food) in return for making sure everything works, I would like to see blocks coming in on WAN, and not have the [s]crap not very meaningful information showing up on LAN ( ;D).
-
Dude there is nothing but NOISE on the public NET.. if your pfsense is directly connected to it your wan blocks will be very busy.. Is pfsense behind a NAT? Then yeah your wan blocks will be very quiet.. See here is example of wan noise..
If your not seeing wan blocks I have to assume you are behind a nat already hiding the noise??
Why don't you change your rules back to default, and then show us some examples of what your seeing both wan and lan and we can go over what your seeing and if you want it to be logged or why its logged or how to not log it, etc. etc..
-
Most of those rule are gibberish.. 192.168.2.1 to lan net for example.. 127.0.0.1 to the lan net
Lan net to 127.0.0.1?? How would pfsense see traffic coming into its lan port from the network to 127.0.0.1 – 127.0.0.1 is loopback that every machine has, packets should never get put on the wire.
How about you change your rules back to DEFAULT which is any any from the lan net.. and then post up these log entries to we can take a look see to what might be causing them..
Dest=255.255.255.255 dPort=67
is a dhcpdiscover packet - so why would that be blocked in firewall There are hidden rules that should allow that traffic anyway.
Thanks John, I overlooked your reply yesterday :-[
And yes, you are very right: these rules probably are complete gibberish. But they arrived there because for some reason or the other, they helped me stop the 'not very informative information' (trying to prevent the word [s]crap;D). Its bits and pieces I managed to take up from reading many other posts on this fine forum, where other users did this to get rid of it.
You are right, I will disable all these rules so I can show here what ends up. I'll reply to your other post below also for one point.
Thank you for your help ;D
-
Dude there is nothing but NOISE on the public NET.. if your pfsense is directly connected to it your wan blocks will be very busy.. Is pfsense behind a NAT? Then yeah your wan blocks will be very quiet.. See here is example of wan noise..
If your not seeing wan blocks I have to assume you are behind a nat already hiding the noise??
Why don't you change your rules back to default, and then show us some examples of what your seeing both wan and lan and we can go over what your seeing and if you want it to be logged or why its logged or how to not log it, etc. etc..
It might be noise, John (it probably is), but my point is: if I don't see anything being blocked, how can I be sure something is blocked in the first place. Trust is good, but verification is better ;D
pfSense is doing the NAT as far as I know, it connects directly to my ISP using PPPoE dial up.
-
To the question of why he used 192.168.2.0/24 instead of 192.168.1.0/24… I say if it was a mistake, then it was a GOOD mistake.
Too many people use that address space and in general it is a good idea to stay away from it.
-
Why don't you change your rules back to default, and then show us some examples of what your seeing both wan and lan and we can go over what your seeing and if you want it to be logged or why its logged or how to not log it, etc. etc..
Well, it was relatively quite for a while, but I am getting depressed once again :'(
I've taken your recommendation some time ago and disabled all rules so I had only the defaults. From there on, once I got all these 'noise-messages' you don't want to see I added them one by one to the firewall, so we can see what is happening. I consolidated some of them into an alias to keep the overview. Currently, also, since a couple of days, my logs are literally flooded with Ipv6-messages, no clue why; it just suddenly started. Also, when you click on the red 'x' in the firewall log to see which rule it was, I think there are some bugs, as LAN-traffic according to the information from the red cross is blocked by a rule for VLAN40( :o).
I will post screenshots, and I will be in your debt once again if you could help me get rid of this, because not only is my log looking like a mess, so is my firewall rules screen.
Also, in the screen of the firewall, to my more than strange surprise, if I try to allow any * any * you will still see I had to add a any [port] any [port] rule to try to silence it. And then still sometimes it doesn't work :'(
I am going to add screenshots now.
-
IPv6 blocks on LAN (I edit part of the IPv6 address out since I suspect it to my my network MAC or something? (since googling within "" didn't return any hits).
These started a couple of days ago (I have no clue what triggered that) and are literally flooding my logs).
 -
Rule for VLAN40 is doing its thing on VLAN50 (?)
 -
Attached also the firewall rules for that VLAN50; I don't see any 'VLAN40' in here, so no clue why the previous weird picture.
 -
WAN2 (cable) blocked a private IP, but the destination is weird?
 -
Bootpc is bogon?
 -
NTP goes DNS.
 -
And the VLAN40 rules for the previous picture.
 -
Interfaces/WAN (VDSL).
 -
Interfaces/WAN2 (cable)
