Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall all kinds of weird and spontaneous blocks on LAN

    Firewalling
    5
    42
    5831
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles last edited by

      Bootpc is bogon?

      ![004 - Bootpc is bogon.jpg](/public/imported_attachments/1/004 - Bootpc is bogon.jpg)
      ![004 - Bootpc is bogon.jpg_thumb](/public/imported_attachments/1/004 - Bootpc is bogon.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • M
        Mr. Jingles last edited by

        NTP goes DNS.

        ![006 - NTP goes DNS.jpg](/public/imported_attachments/1/006 - NTP goes DNS.jpg)
        ![006 - NTP goes DNS.jpg_thumb](/public/imported_attachments/1/006 - NTP goes DNS.jpg_thumb)

        1 Reply Last reply Reply Quote 0
        • M
          Mr. Jingles last edited by

          And the VLAN40 rules for the previous picture.

          ![008 - VLAN40.jpg](/public/imported_attachments/1/008 - VLAN40.jpg)
          ![008 - VLAN40.jpg_thumb](/public/imported_attachments/1/008 - VLAN40.jpg_thumb)

          1 Reply Last reply Reply Quote 0
          • M
            Mr. Jingles last edited by

            Interfaces/WAN (VDSL).

            ![009 - Interfaces_WAN.jpg](/public/imported_attachments/1/009 - Interfaces_WAN.jpg)
            ![009 - Interfaces_WAN.jpg_thumb](/public/imported_attachments/1/009 - Interfaces_WAN.jpg_thumb)

            1 Reply Last reply Reply Quote 0
            • M
              Mr. Jingles last edited by

              Interfaces/WAN2 (cable)

              ![010 - Interfaces_WAN2.jpg](/public/imported_attachments/1/010 - Interfaces_WAN2.jpg)
              ![010 - Interfaces_WAN2.jpg_thumb](/public/imported_attachments/1/010 - Interfaces_WAN2.jpg_thumb)

              1 Reply Last reply Reply Quote 0
              • M
                Mr. Jingles last edited by

                Interfaces/LAN.

                ![011 - Intefaces - LAN.jpg](/public/imported_attachments/1/011 - Intefaces - LAN.jpg)
                ![011 - Intefaces - LAN.jpg_thumb](/public/imported_attachments/1/011 - Intefaces - LAN.jpg_thumb)

                1 Reply Last reply Reply Quote 0
                • M
                  Mr. Jingles last edited by

                  Interfaces/VLAN40.

                  ![012 - Intefaces - VLAN40.jpg](/public/imported_attachments/1/012 - Intefaces - VLAN40.jpg)
                  ![012 - Intefaces - VLAN40.jpg_thumb](/public/imported_attachments/1/012 - Intefaces - VLAN40.jpg_thumb)

                  1 Reply Last reply Reply Quote 0
                  • M
                    Mr. Jingles last edited by

                    Advanced/networking.

                    ![013 - Advanced - Networking.jpg](/public/imported_attachments/1/013 - Advanced - Networking.jpg)
                    ![013 - Advanced - Networking.jpg_thumb](/public/imported_attachments/1/013 - Advanced - Networking.jpg_thumb)

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mr. Jingles last edited by

                      System log settings.

                      ![014 - SystemLog - Settings.jpg](/public/imported_attachments/1/014 - SystemLog - Settings.jpg)
                      ![014 - SystemLog - Settings.jpg_thumb](/public/imported_attachments/1/014 - SystemLog - Settings.jpg_thumb)

                      1 Reply Last reply Reply Quote 0
                      • M
                        Mr. Jingles last edited by

                        And, finally, the LAN rules in two parts (note the number of 'easy rules passed from firewall log view'. And even then they still aren't working, as the log is still flooded with IPv6 as shown in the first picture):

                        ![007 - LAN-rules1.jpg](/public/imported_attachments/1/007 - LAN-rules1.jpg)
                        ![007 - LAN-rules1.jpg_thumb](/public/imported_attachments/1/007 - LAN-rules1.jpg_thumb)

                        1 Reply Last reply Reply Quote 0
                        • M
                          Mr. Jingles last edited by

                          LAN rules part 2:

                          ![007 - LAN-rules2.jpg](/public/imported_attachments/1/007 - LAN-rules2.jpg)
                          ![007 - LAN-rules2.jpg_thumb](/public/imported_attachments/1/007 - LAN-rules2.jpg_thumb)

                          1 Reply Last reply Reply Quote 0
                          • M
                            Mr. Jingles last edited by

                            And finally, the multicast-alias in the LAN rules:

                            ![015 - multicast alias.jpg](/public/imported_attachments/1/015 - multicast alias.jpg)
                            ![015 - multicast alias.jpg_thumb](/public/imported_attachments/1/015 - multicast alias.jpg_thumb)

                            1 Reply Last reply Reply Quote 0
                            • M
                              Mr. Jingles last edited by

                              So I will be feeling hugely indebted to everybody who can help me solve this, that goes without saying  :P

                              (because it is driving me crazy, this flooding of logs which I am trying to fight with the firewall rules every day  :-[).

                              Thank you in advance very much (really  :-*),

                              Bye  ;D

                              1 Reply Last reply Reply Quote 0
                              • M
                                Mr. Jingles last edited by

                                EDIT: I forgot one screenshot from the general system log. Errors 'finding Ipv6 gateway' (?) on both WAN and WAN2 (=opt4).

                                I should also add that I added this WAN2 a couple of days ago (I don't know exactly when anymore), and I also don't know if that is when the IPv6-flooding in the logs and the error in the attached picture began  :-\

                                ![016 - system log error.jpg](/public/imported_attachments/1/016 - system log error.jpg)
                                ![016 - system log error.jpg_thumb](/public/imported_attachments/1/016 - system log error.jpg_thumb)

                                1 Reply Last reply Reply Quote 0
                                • M
                                  Mr. Jingles last edited by

                                  Cry. WIFE is angry with me now  :-[

                                  This is happening as I was busy with my failover WAN:

                                  ![017 - WIFE complains.jpg](/public/imported_attachments/1/017 - WIFE complains.jpg)
                                  ![017 - WIFE complains.jpg_thumb](/public/imported_attachments/1/017 - WIFE complains.jpg_thumb)

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    Mr. Jingles last edited by

                                    And this, floods of it:

                                    ![018 - WIFE2.jpg](/public/imported_attachments/1/018 - WIFE2.jpg)
                                    ![018 - WIFE2.jpg_thumb](/public/imported_attachments/1/018 - WIFE2.jpg_thumb)

                                    1 Reply Last reply Reply Quote 0
                                    • johnpoz
                                      johnpoz LAYER 8 Global Moderator last edited by

                                      Everyone of those seems to me blocked because of states out of sync you notice the tcp flags on the proto

                                      TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR

                                      https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

                                      This is going to happen when you have something get out of wack where pfsense states do not list these connections and then sees traffic.  Can happen when you clear states or reboot pfsense.  Can happen if you have devices that are in and out of the network, say wireless devices for example.  I mostly see these in my logs from my sons phone.  This sort of thing is common and will happen with any stateful firewall.


                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        Mr. Jingles last edited by

                                        @johnpoz:

                                        Everyone of those seems to me blocked because of states out of sync you notice the tcp flags on the proto

                                        TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR

                                        https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

                                        This is going to happen when you have something get out of wack where pfsense states do not list these connections and then sees traffic.  Can happen when you clear states or reboot pfsense.  Can happen if you have devices that are in and out of the network, say wireless devices for example.  I mostly see these in my logs from my sons phone.  This sort of thing is common and will happen with any stateful firewall.

                                        Thanks for your fast reply, John  ;D

                                        (I can't hit the 'thanks' button more than once in a thread and I apparently already did).

                                        I will read the link you posted. But I think it doesn't cover everything. For example, the extreme IPv6-flooding, the 127.0.0.1 stuff that keeps coming up (this last one, might this be a squid-problem?), all that 'broadcasting' (224.x.x.x etc stuff)? Would you know how to get rid of that?

                                        Thank you for your help, John: it is appreciated very much  ;D

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          Mr. Jingles last edited by

                                          Like this  :'( :'( :'(

                                          ![019 - nuts - buhuhu.jpg](/public/imported_attachments/1/019 - nuts - buhuhu.jpg)
                                          ![019 - nuts - buhuhu.jpg_thumb](/public/imported_attachments/1/019 - nuts - buhuhu.jpg_thumb)

                                          1 Reply Last reply Reply Quote 0
                                          • johnpoz
                                            johnpoz LAYER 8 Global Moderator last edited by

                                            those from 127.0.0.1:3128 – I would assume squid from the port.  Yeah its out of state with a both those you showing being FA and RA.. So yeah the state table could explain those.

                                            as to 224 which would be multicast..  Don't see any of those in your past example.  What interface are you seeing those on.  Those would be easy enough to weed out with a rule..  Be it you want them or don't want to see them but block, etc.  Not sure if pfsense creates any behind the curtain multicast rules like it does for dhcp, etc.

                                            1 Reply Last reply Reply Quote 0
                                            • johnpoz
                                              johnpoz LAYER 8 Global Moderator last edited by

                                              Your no showing the full states on those - post them from the full view of the log.  If you having a issue with states then need to trouble shoot why.

                                              And don't see any multicast in there either.

                                              1 Reply Last reply Reply Quote 0
                                              • M
                                                Mr. Jingles last edited by

                                                @johnpoz:

                                                those from 127.0.0.1:3128 – I would assume squid from the port.  Yeah its out of state with a both those you showing being FA and RA.. So yeah the state table could explain those.

                                                as to 224 which would be multicast..  Don't see any of those in your past example.  What interface are you seeing those on.  Those would be easy enough to weed out with a rule..  Be it you want them or don't want to see them but block, etc.  Not sure if pfsense creates any behind the curtain multicast rules like it does for dhcp, etc.

                                                Thanks John  ;D

                                                No, you don't see them in the example as I followed your instruction of a couple of months ago and started anew. So the Alias in the pic comes from all the entries I added from the Easy Firewall Add, and consolidated into an alias since that was a mess after some time. They are on LAN, as I added the consolidated alias there.

                                                As to the bold: could I ask what you mean exactly? How could I fix these?

                                                Thank you  :P

                                                1 Reply Last reply Reply Quote 0
                                                • M
                                                  Mr. Jingles last edited by

                                                  @johnpoz:

                                                  Your no showing the full states on those - post them from the full view of the log.  If you having a issue with states then need to trouble shoot why.

                                                  And don't see any multicast in there either.

                                                  Thanks John  ;D

                                                  The multicast was the previous alias-story. The attached picture contains the full states.

                                                  Thank you  :D

                                                  ![020 - full with states.jpg](/public/imported_attachments/1/020 - full with states.jpg)
                                                  ![020 - full with states.jpg_thumb](/public/imported_attachments/1/020 - full with states.jpg_thumb)

                                                  1 Reply Last reply Reply Quote 0
                                                  • johnpoz
                                                    johnpoz LAYER 8 Global Moderator last edited by

                                                    So as you see those are all like FA or RA.. So per the link that explains why that can happen those.. You have a situation where there is no state showing a connection.  So when you get a packet that is not syn and no active state the firewall will block.

                                                    Now if your seeing a lot of it, then you might want to look into why.  Are you clearing states on a schedule or something. Seems odd that squid would be trying to answer a client but the state is gone?

                                                    I see wan2 in there - so you have multiple wans, is it possible you have asynchronous routing going on where traffic goes out one connection, and answer come in other connection?

                                                    1 Reply Last reply Reply Quote 0
                                                    • M
                                                      Mr. Jingles last edited by

                                                      @johnpoz:

                                                      So as you see those are all like FA or RA.. So per the link that explains why that can happen those.. You have a situation where there is no state showing a connection.  So when you get a packet that is not syn and no active state the firewall will block.

                                                      Now if your seeing a lot of it, then you might want to look into why.  Are you clearing states on a schedule or something. Seems odd that squid would be trying to answer a client but the state is gone?

                                                      I see wan2 in there - so you have multiple wans, is it possible you have asynchronous routing going on where traffic goes out one connection, and answer come in other connection?

                                                      Thank you once again very much, John  ;D

                                                      No, I am not clearing states on a schedule. At least, I didn't customize that somewhere. Of course, I am not sure about what pfSense does by itself, since it starts to become more and more a mystery as to what is happening suddenly, and why, given all the weird things I screenshot in the above.

                                                      As to the states, I tried this:

                                                      https://knowledge.zomers.eu/pfsense/Pages/How-to-solve-connectivity-issues-with-dropped-RA-and-PA-packets.aspx

                                                      I'll report back if this solves something.

                                                      As to WAN2: yes I have it since a couple of days (cable). But it is currently fall back only. No load balancing. Since I only have it recently I am monitoring it everyday, and no fall back has occurred yet, so no traffic out on 1 interface and in on the other.

                                                      Currently I am thinking of selling myself and buying a new myself ( ;D) since I am getting insane about this IPv6-crap.

                                                      This is what my log looks like the whole day (screenshot). Thousands and thousands of lines like that.

                                                      I tried this:
                                                      https://knowledge.zomers.eu/pfsense/Pages/Prevent-IPv6-multicasts-from-flooding-the-pfSense-logs.aspx

                                                      (He has an error in the first screen shot because he has TCP, which I think should be UDP).

                                                      He has that rule floating and pass: didn't work.

                                                      I also did LAN and block: didn't work.

                                                      I disabled allow Ipv6 in advanced settings. The log keeps on being flooded, but now the rule number is 3 instead of the 51, which makes sense given the disable allow Ipv6.

                                                      But in the screenshot you can see it says 'block bogon on LAN'. I think that bogon list is wrong or something. I know I can disable logging 'block bogon' in SystemLog/settings, but I don't want to as I want to see if things get blocked to see what is working. But what it now blocks is not bogon, it is broadcast.

                                                      I am really getting depressed about this crap in the logs; the logs are useless this way  :'(

                                                      ![021 - st_pid_ipv6_crap.jpg](/public/imported_attachments/1/021 - st_pid_ipv6_crap.jpg)
                                                      ![021 - st_pid_ipv6_crap.jpg_thumb](/public/imported_attachments/1/021 - st_pid_ipv6_crap.jpg_thumb)

                                                      1 Reply Last reply Reply Quote 0
                                                      • M
                                                        Mr. Jingles last edited by

                                                        As I recently added my second WAN (cable, for fail over) and this IPv6-crap also started recently again (it was there for a while in the past, then it was gone for a long time, now it thus is back again), I thought 'perhaps it has, for some strange reason, something to do with the cable modem (even 'though the IPv6-crap is on LAN, not on WAN2). So I unplugged the cable: nothing, the flood remains. I rebooted pfSense, hoping that would solve something. Nope  :-[

                                                        I'm really lost.

                                                        1 Reply Last reply Reply Quote 0
                                                        • M
                                                          Mr. Jingles last edited by

                                                          Just in case anybody is following this; it appears I am not the only one who's having problems with IPv6 flooding the logs. I found this:

                                                          https://forum.pfsense.org/index.php/topic,64980.msg353733.html

                                                          But nobody responded to that anymore  :-[

                                                          1 Reply Last reply Reply Quote 0
                                                          • First post
                                                            Last post

                                                          Products

                                                          • Platform Overview
                                                          • TNSR
                                                          • pfSense Plus
                                                          • Appliances

                                                          Services

                                                          • Training
                                                          • Professional Services

                                                          Support

                                                          • Subscription Plans
                                                          • Contact Support
                                                          • Product Lifecycle
                                                          • Documentation

                                                          News

                                                          • Media Coverage
                                                          • Press
                                                          • Events

                                                          Resources

                                                          • Blog
                                                          • FAQ
                                                          • Find a Partner
                                                          • Resource Library
                                                          • Security Information

                                                          Company

                                                          • About Us
                                                          • Careers
                                                          • Partners
                                                          • Contact Us
                                                          • Legal
                                                          Our Mission

                                                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                          Subscribe to our Newsletter

                                                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                          © 2021 Rubicon Communications, LLC | Privacy Policy