Firewall all kinds of weird and spontaneous blocks on LAN
-
Bootpc is bogon?
 -
NTP goes DNS.
 -
And the VLAN40 rules for the previous picture.
 -
Interfaces/WAN (VDSL).
 -
Interfaces/WAN2 (cable)
 -
Interfaces/LAN.
 -
Interfaces/VLAN40.
 -
Advanced/networking.
 -
System log settings.
 -
And, finally, the LAN rules in two parts (note the number of 'easy rules passed from firewall log view'. And even then they still aren't working, as the log is still flooded with IPv6 as shown in the first picture):
 -
LAN rules part 2:
 -
And finally, the multicast-alias in the LAN rules:
 -
So I will be feeling hugely indebted to everybody who can help me solve this, that goes without saying :P
(because it is driving me crazy, this flooding of logs which I am trying to fight with the firewall rules every day :-[).
Thank you in advance very much (really :-*),
Bye ;D
-
EDIT: I forgot one screenshot from the general system log. Errors 'finding Ipv6 gateway' (?) on both WAN and WAN2 (=opt4).
I should also add that I added this WAN2 a couple of days ago (I don't know exactly when anymore), and I also don't know if that is when the IPv6-flooding in the logs and the error in the attached picture began :-\
 -
Cry. WIFE is angry with me now :-[
This is happening as I was busy with my failover WAN:
 -
And this, floods of it:
 -
Everyone of those seems to me blocked because of states out of sync you notice the tcp flags on the proto
TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR
https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
This is going to happen when you have something get out of wack where pfsense states do not list these connections and then sees traffic. Can happen when you clear states or reboot pfsense. Can happen if you have devices that are in and out of the network, say wireless devices for example. I mostly see these in my logs from my sons phone. This sort of thing is common and will happen with any stateful firewall.
-
Everyone of those seems to me blocked because of states out of sync you notice the tcp flags on the proto
TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR
https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
This is going to happen when you have something get out of wack where pfsense states do not list these connections and then sees traffic. Can happen when you clear states or reboot pfsense. Can happen if you have devices that are in and out of the network, say wireless devices for example. I mostly see these in my logs from my sons phone. This sort of thing is common and will happen with any stateful firewall.
Thanks for your fast reply, John ;D
(I can't hit the 'thanks' button more than once in a thread and I apparently already did).
I will read the link you posted. But I think it doesn't cover everything. For example, the extreme IPv6-flooding, the 127.0.0.1 stuff that keeps coming up (this last one, might this be a squid-problem?), all that 'broadcasting' (224.x.x.x etc stuff)? Would you know how to get rid of that?
Thank you for your help, John: it is appreciated very much ;D
-
Like this :'( :'( :'(
 -
those from 127.0.0.1:3128 – I would assume squid from the port. Yeah its out of state with a both those you showing being FA and RA.. So yeah the state table could explain those.
as to 224 which would be multicast.. Don't see any of those in your past example. What interface are you seeing those on. Those would be easy enough to weed out with a rule.. Be it you want them or don't want to see them but block, etc. Not sure if pfsense creates any behind the curtain multicast rules like it does for dhcp, etc.
-
Your no showing the full states on those - post them from the full view of the log. If you having a issue with states then need to trouble shoot why.
And don't see any multicast in there either.
-
those from 127.0.0.1:3128 – I would assume squid from the port. Yeah its out of state with a both those you showing being FA and RA.. So yeah the state table could explain those.
as to 224 which would be multicast.. Don't see any of those in your past example. What interface are you seeing those on. Those would be easy enough to weed out with a rule.. Be it you want them or don't want to see them but block, etc. Not sure if pfsense creates any behind the curtain multicast rules like it does for dhcp, etc.
Thanks John ;D
No, you don't see them in the example as I followed your instruction of a couple of months ago and started anew. So the Alias in the pic comes from all the entries I added from the Easy Firewall Add, and consolidated into an alias since that was a mess after some time. They are on LAN, as I added the consolidated alias there.
As to the bold: could I ask what you mean exactly? How could I fix these?
Thank you :P
-
Your no showing the full states on those - post them from the full view of the log. If you having a issue with states then need to trouble shoot why.
And don't see any multicast in there either.
Thanks John ;D
The multicast was the previous alias-story. The attached picture contains the full states.
Thank you :D
 -
So as you see those are all like FA or RA.. So per the link that explains why that can happen those.. You have a situation where there is no state showing a connection. So when you get a packet that is not syn and no active state the firewall will block.
Now if your seeing a lot of it, then you might want to look into why. Are you clearing states on a schedule or something. Seems odd that squid would be trying to answer a client but the state is gone?
I see wan2 in there - so you have multiple wans, is it possible you have asynchronous routing going on where traffic goes out one connection, and answer come in other connection?
-
So as you see those are all like FA or RA.. So per the link that explains why that can happen those.. You have a situation where there is no state showing a connection. So when you get a packet that is not syn and no active state the firewall will block.
Now if your seeing a lot of it, then you might want to look into why. Are you clearing states on a schedule or something. Seems odd that squid would be trying to answer a client but the state is gone?
I see wan2 in there - so you have multiple wans, is it possible you have asynchronous routing going on where traffic goes out one connection, and answer come in other connection?
Thank you once again very much, John ;D
No, I am not clearing states on a schedule. At least, I didn't customize that somewhere. Of course, I am not sure about what pfSense does by itself, since it starts to become more and more a mystery as to what is happening suddenly, and why, given all the weird things I screenshot in the above.
As to the states, I tried this:
https://knowledge.zomers.eu/pfsense/Pages/How-to-solve-connectivity-issues-with-dropped-RA-and-PA-packets.aspx
I'll report back if this solves something.
As to WAN2: yes I have it since a couple of days (cable). But it is currently fall back only. No load balancing. Since I only have it recently I am monitoring it everyday, and no fall back has occurred yet, so no traffic out on 1 interface and in on the other.
Currently I am thinking of selling myself and buying a new myself ( ;D) since I am getting insane about this IPv6-crap.
This is what my log looks like the whole day (screenshot). Thousands and thousands of lines like that.
I tried this:
https://knowledge.zomers.eu/pfsense/Pages/Prevent-IPv6-multicasts-from-flooding-the-pfSense-logs.aspx(He has an error in the first screen shot because he has TCP, which I think should be UDP).
He has that rule floating and pass: didn't work.
I also did LAN and block: didn't work.
I disabled allow Ipv6 in advanced settings. The log keeps on being flooded, but now the rule number is 3 instead of the 51, which makes sense given the disable allow Ipv6.
But in the screenshot you can see it says 'block bogon on LAN'. I think that bogon list is wrong or something. I know I can disable logging 'block bogon' in SystemLog/settings, but I don't want to as I want to see if things get blocked to see what is working. But what it now blocks is not bogon, it is broadcast.
I am really getting depressed about this crap in the logs; the logs are useless this way :'(
 -
As I recently added my second WAN (cable, for fail over) and this IPv6-crap also started recently again (it was there for a while in the past, then it was gone for a long time, now it thus is back again), I thought 'perhaps it has, for some strange reason, something to do with the cable modem (even 'though the IPv6-crap is on LAN, not on WAN2). So I unplugged the cable: nothing, the flood remains. I rebooted pfSense, hoping that would solve something. Nope :-[
I'm really lost.
-
Just in case anybody is following this; it appears I am not the only one who's having problems with IPv6 flooding the logs. I found this:
https://forum.pfsense.org/index.php/topic,64980.msg353733.html
But nobody responded to that anymore :-[
