Firewall all kinds of weird and spontaneous blocks on LAN
-
G'afternoon ;D
Having freshly upgraded to 2.1, my beloved Pfsense is driving me crazy. There are all kinds of spontaneous blocks occurring in LAN. I have created some screenshots. Pfsense is at 192.168.2.1, I am at 192.168.2.12.
I have also added a screenshot of my LAN rules. As you may see, most of these rules are attempts to get rid of all the broadcast crap that clutters up my logs. Aside from that, there are some rules to prevent my Synology anywhere but to my usenet provider, and to prevent my HTPC from going anywhere I don't want it to go. I thought nothing unusual here.
The rule at the top, to allow 2.12 access to 2.1 is one I just added because I got tired of my Pfsense appearing to hang when I was in the GUI, which forced me to ssh into it to restart the web configurator (option 11).
I also have Snort on WAN and LAN, but the Snort logs don't show anything at all for LAN, so I'm not sure here. Finally, both this 2.12 being blocked to 2.1 as well as the crap in the logs seems to be dependent on the weather ( ;D); so it does it for 4 hours, and so it doesn't do it for two hours.
Would anybody happen to know what it going on here?
Thank you very much for your help ;D
-
Why did you use 192.168.2.0?
Just curious.
I'm not sure why the webgui would hang but the anti-lockout rule at the top would cover that so it shouldn't matter if you have that line allowing your workstation address to the pfsense box.
-
Why did you use 192.168.2.0?
Just curious.
I'm not sure why the webgui would hang but the anti-lockout rule at the top would cover that so it shouldn't matter if you have that line allowing your workstation address to the pfsense box.
Thank you for your reply ;D
I have no clue ???
I thought this was something with how you take care of a subnet, but to be honest: I don't know the difference (if any) between 192.168.2.0 and 192.168.2.1 (I'm not the brightest in these matters :P).
-
Most of those rule are gibberish.. 192.168.2.1 to lan net for example.. 127.0.0.1 to the lan net
Lan net to 127.0.0.1?? How would pfsense see traffic coming into its lan port from the network to 127.0.0.1 – 127.0.0.1 is loopback that every machine has, packets should never get put on the wire.
How about you change your rules back to DEFAULT which is any any from the lan net.. and then post up these log entries to we can take a look see to what might be causing them..
Dest=255.255.255.255 dPort=67
is a dhcpdiscover packet - so why would that be blocked in firewall There are hidden rules that should allow that traffic anyway.
-
@Hollander:
I have also added a screenshot of my LAN rules. As you may see, most of these rules are attempts to get rid of all the broadcast crap that clutters up my logs. Aside from that, there are some rules to prevent my Synology anywhere but to my usenet provider, and to prevent my HTPC from going anywhere I don't want it to go. I thought nothing unusual here.
Once you get rid of all those rules, you can stop the logging of that "crap" by going to System Log Settings and disabling the options in "Log Firewall Default Blocks"
-
@Hollander:
I have also added a screenshot of my LAN rules. As you may see, most of these rules are attempts to get rid of all the broadcast crap that clutters up my logs. Aside from that, there are some rules to prevent my Synology anywhere but to my usenet provider, and to prevent my HTPC from going anywhere I don't want it to go. I thought nothing unusual here.
Once you get rid of all those rules, you can stop the logging of that "crap" by going to System Log Settings and disabling the options in "Log Firewall Default Blocks"
Thank you for your reply ;D
(And sorry if 'crap' offended you :-[).
It was my understanding that if I disable logging the default rule, that I then actually won't see any blocks at all except for custom WAN-rules (which I hardly have, except for 1 pfBlocker rule that I can't seem to get to work). And if that would be the case, I would be wondering if everything was working correctly since I don't see anything being blocked on WAN.
So, I think from a trainee-home-sysadmin who gets food from WIFE (IF wife happy THEN trainee food) in return for making sure everything works, I would like to see blocks coming in on WAN, and not have the [s]crap not very meaningful information showing up on LAN ( ;D).
-
Dude there is nothing but NOISE on the public NET.. if your pfsense is directly connected to it your wan blocks will be very busy.. Is pfsense behind a NAT? Then yeah your wan blocks will be very quiet.. See here is example of wan noise..
If your not seeing wan blocks I have to assume you are behind a nat already hiding the noise??
Why don't you change your rules back to default, and then show us some examples of what your seeing both wan and lan and we can go over what your seeing and if you want it to be logged or why its logged or how to not log it, etc. etc..
-
Most of those rule are gibberish.. 192.168.2.1 to lan net for example.. 127.0.0.1 to the lan net
Lan net to 127.0.0.1?? How would pfsense see traffic coming into its lan port from the network to 127.0.0.1 – 127.0.0.1 is loopback that every machine has, packets should never get put on the wire.
How about you change your rules back to DEFAULT which is any any from the lan net.. and then post up these log entries to we can take a look see to what might be causing them..
Dest=255.255.255.255 dPort=67
is a dhcpdiscover packet - so why would that be blocked in firewall There are hidden rules that should allow that traffic anyway.
Thanks John, I overlooked your reply yesterday :-[
And yes, you are very right: these rules probably are complete gibberish. But they arrived there because for some reason or the other, they helped me stop the 'not very informative information' (trying to prevent the word [s]crap;D). Its bits and pieces I managed to take up from reading many other posts on this fine forum, where other users did this to get rid of it.
You are right, I will disable all these rules so I can show here what ends up. I'll reply to your other post below also for one point.
Thank you for your help ;D
-
Dude there is nothing but NOISE on the public NET.. if your pfsense is directly connected to it your wan blocks will be very busy.. Is pfsense behind a NAT? Then yeah your wan blocks will be very quiet.. See here is example of wan noise..
If your not seeing wan blocks I have to assume you are behind a nat already hiding the noise??
Why don't you change your rules back to default, and then show us some examples of what your seeing both wan and lan and we can go over what your seeing and if you want it to be logged or why its logged or how to not log it, etc. etc..
It might be noise, John (it probably is), but my point is: if I don't see anything being blocked, how can I be sure something is blocked in the first place. Trust is good, but verification is better ;D
pfSense is doing the NAT as far as I know, it connects directly to my ISP using PPPoE dial up.
-
To the question of why he used 192.168.2.0/24 instead of 192.168.1.0/24… I say if it was a mistake, then it was a GOOD mistake.
Too many people use that address space and in general it is a good idea to stay away from it.
-
Why don't you change your rules back to default, and then show us some examples of what your seeing both wan and lan and we can go over what your seeing and if you want it to be logged or why its logged or how to not log it, etc. etc..
Well, it was relatively quite for a while, but I am getting depressed once again :'(
I've taken your recommendation some time ago and disabled all rules so I had only the defaults. From there on, once I got all these 'noise-messages' you don't want to see I added them one by one to the firewall, so we can see what is happening. I consolidated some of them into an alias to keep the overview. Currently, also, since a couple of days, my logs are literally flooded with Ipv6-messages, no clue why; it just suddenly started. Also, when you click on the red 'x' in the firewall log to see which rule it was, I think there are some bugs, as LAN-traffic according to the information from the red cross is blocked by a rule for VLAN40( :o).
I will post screenshots, and I will be in your debt once again if you could help me get rid of this, because not only is my log looking like a mess, so is my firewall rules screen.
Also, in the screen of the firewall, to my more than strange surprise, if I try to allow any * any * you will still see I had to add a any [port] any [port] rule to try to silence it. And then still sometimes it doesn't work :'(
I am going to add screenshots now.
-
IPv6 blocks on LAN (I edit part of the IPv6 address out since I suspect it to my my network MAC or something? (since googling within "" didn't return any hits).
These started a couple of days ago (I have no clue what triggered that) and are literally flooding my logs).
 -
Rule for VLAN40 is doing its thing on VLAN50 (?)
 -
Attached also the firewall rules for that VLAN50; I don't see any 'VLAN40' in here, so no clue why the previous weird picture.
 -
WAN2 (cable) blocked a private IP, but the destination is weird?
 -
Bootpc is bogon?
 -
NTP goes DNS.
 -
And the VLAN40 rules for the previous picture.
 -
Interfaces/WAN (VDSL).
 -
Interfaces/WAN2 (cable)
 -
Interfaces/LAN.
 -
Interfaces/VLAN40.
 -
Advanced/networking.
 -
System log settings.
 -
And, finally, the LAN rules in two parts (note the number of 'easy rules passed from firewall log view'. And even then they still aren't working, as the log is still flooded with IPv6 as shown in the first picture):
 -
LAN rules part 2:
 -
And finally, the multicast-alias in the LAN rules:
 -
So I will be feeling hugely indebted to everybody who can help me solve this, that goes without saying :P
(because it is driving me crazy, this flooding of logs which I am trying to fight with the firewall rules every day :-[).
Thank you in advance very much (really :-*),
Bye ;D
-
EDIT: I forgot one screenshot from the general system log. Errors 'finding Ipv6 gateway' (?) on both WAN and WAN2 (=opt4).
I should also add that I added this WAN2 a couple of days ago (I don't know exactly when anymore), and I also don't know if that is when the IPv6-flooding in the logs and the error in the attached picture began :-\
 -
Cry. WIFE is angry with me now :-[
This is happening as I was busy with my failover WAN:
 -
And this, floods of it:
 -
Everyone of those seems to me blocked because of states out of sync you notice the tcp flags on the proto
TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR
https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
This is going to happen when you have something get out of wack where pfsense states do not list these connections and then sees traffic. Can happen when you clear states or reboot pfsense. Can happen if you have devices that are in and out of the network, say wireless devices for example. I mostly see these in my logs from my sons phone. This sort of thing is common and will happen with any stateful firewall.
-
Everyone of those seems to me blocked because of states out of sync you notice the tcp flags on the proto
TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR
https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
This is going to happen when you have something get out of wack where pfsense states do not list these connections and then sees traffic. Can happen when you clear states or reboot pfsense. Can happen if you have devices that are in and out of the network, say wireless devices for example. I mostly see these in my logs from my sons phone. This sort of thing is common and will happen with any stateful firewall.
Thanks for your fast reply, John ;D
(I can't hit the 'thanks' button more than once in a thread and I apparently already did).
I will read the link you posted. But I think it doesn't cover everything. For example, the extreme IPv6-flooding, the 127.0.0.1 stuff that keeps coming up (this last one, might this be a squid-problem?), all that 'broadcasting' (224.x.x.x etc stuff)? Would you know how to get rid of that?
Thank you for your help, John: it is appreciated very much ;D
-
Like this :'( :'( :'(
 -
those from 127.0.0.1:3128 – I would assume squid from the port. Yeah its out of state with a both those you showing being FA and RA.. So yeah the state table could explain those.
as to 224 which would be multicast.. Don't see any of those in your past example. What interface are you seeing those on. Those would be easy enough to weed out with a rule.. Be it you want them or don't want to see them but block, etc. Not sure if pfsense creates any behind the curtain multicast rules like it does for dhcp, etc.
-
Your no showing the full states on those - post them from the full view of the log. If you having a issue with states then need to trouble shoot why.
And don't see any multicast in there either.
-
those from 127.0.0.1:3128 – I would assume squid from the port. Yeah its out of state with a both those you showing being FA and RA.. So yeah the state table could explain those.
as to 224 which would be multicast.. Don't see any of those in your past example. What interface are you seeing those on. Those would be easy enough to weed out with a rule.. Be it you want them or don't want to see them but block, etc. Not sure if pfsense creates any behind the curtain multicast rules like it does for dhcp, etc.
Thanks John ;D
No, you don't see them in the example as I followed your instruction of a couple of months ago and started anew. So the Alias in the pic comes from all the entries I added from the Easy Firewall Add, and consolidated into an alias since that was a mess after some time. They are on LAN, as I added the consolidated alias there.
As to the bold: could I ask what you mean exactly? How could I fix these?
Thank you :P
-
Your no showing the full states on those - post them from the full view of the log. If you having a issue with states then need to trouble shoot why.
And don't see any multicast in there either.
Thanks John ;D
The multicast was the previous alias-story. The attached picture contains the full states.
Thank you :D
 -
So as you see those are all like FA or RA.. So per the link that explains why that can happen those.. You have a situation where there is no state showing a connection. So when you get a packet that is not syn and no active state the firewall will block.
Now if your seeing a lot of it, then you might want to look into why. Are you clearing states on a schedule or something. Seems odd that squid would be trying to answer a client but the state is gone?
I see wan2 in there - so you have multiple wans, is it possible you have asynchronous routing going on where traffic goes out one connection, and answer come in other connection?
-
So as you see those are all like FA or RA.. So per the link that explains why that can happen those.. You have a situation where there is no state showing a connection. So when you get a packet that is not syn and no active state the firewall will block.
Now if your seeing a lot of it, then you might want to look into why. Are you clearing states on a schedule or something. Seems odd that squid would be trying to answer a client but the state is gone?
I see wan2 in there - so you have multiple wans, is it possible you have asynchronous routing going on where traffic goes out one connection, and answer come in other connection?
Thank you once again very much, John ;D
No, I am not clearing states on a schedule. At least, I didn't customize that somewhere. Of course, I am not sure about what pfSense does by itself, since it starts to become more and more a mystery as to what is happening suddenly, and why, given all the weird things I screenshot in the above.
As to the states, I tried this:
https://knowledge.zomers.eu/pfsense/Pages/How-to-solve-connectivity-issues-with-dropped-RA-and-PA-packets.aspx
I'll report back if this solves something.
As to WAN2: yes I have it since a couple of days (cable). But it is currently fall back only. No load balancing. Since I only have it recently I am monitoring it everyday, and no fall back has occurred yet, so no traffic out on 1 interface and in on the other.
Currently I am thinking of selling myself and buying a new myself ( ;D) since I am getting insane about this IPv6-crap.
This is what my log looks like the whole day (screenshot). Thousands and thousands of lines like that.
I tried this:
https://knowledge.zomers.eu/pfsense/Pages/Prevent-IPv6-multicasts-from-flooding-the-pfSense-logs.aspx(He has an error in the first screen shot because he has TCP, which I think should be UDP).
He has that rule floating and pass: didn't work.
I also did LAN and block: didn't work.
I disabled allow Ipv6 in advanced settings. The log keeps on being flooded, but now the rule number is 3 instead of the 51, which makes sense given the disable allow Ipv6.
But in the screenshot you can see it says 'block bogon on LAN'. I think that bogon list is wrong or something. I know I can disable logging 'block bogon' in SystemLog/settings, but I don't want to as I want to see if things get blocked to see what is working. But what it now blocks is not bogon, it is broadcast.
I am really getting depressed about this crap in the logs; the logs are useless this way :'(
