Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort WAN Interface generates multicast traffic.

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Crimson11
      last edited by

      Hi all,

      I have a newbie question.
      I upgraded to 2.9.5.5 pkg v.3.0.1
      I am having a strange problem which I am not able to find a solution on google.

      As soon as I enable the wan interface (with/without rules(one rule)) it starts to generate multicast traffic  every 20 seconds/12 entries and pfsense blocks the traffic.

      Dec 23 23:27:02 pf: 192.168.1.254.1900 > 239.255.255.250.1900: UDP, length 356
      Dec 23 23:27:02 pf: 00:00:00.029971 rule 48/0(match): block in on em0: (tos 0xa0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 384)

      192.168.1.254 is the wan gateway.
      Although 239.255.255.250.1900 is associated with ssdp/upnp/windows etc.
      the source is not that because even I turn off the whole system, including the switch, the pfsense logs keeps on showing the same entries with the time stamp of when the systems were off.
      None of the systems have upnp enabled.

      any idea what may be the cause?

      Thank you.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        When you run snort the interface is placed into promiscuous mode so it will receive and process more traffic that it would have seen otherwise. Without promiscuous mode, it will only process traffic destined for your NIC's MAC or broadcast and such.

        That should have shown up even without promiscuous mode though because 239.255.255.250 is a multicast address. Your upstream gateway is announcing itself to the rest of the segment. Perhaps the gateway is broken and it isn't actually sending it to a proper multicast MAC.

        If it bothers you, you can disable logging for the block private networks rule (in the system logs settings) or if you don't have that enabled, make your own WAN rule to block the traffic without logging it.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          Crimson11
          last edited by

          Thank you for an answer.
          It is exactly what I thought  that it is related to promiscuous mode as I read it also in somewhere else that snort has to listen other traffic as well so it is normal. But needed to be sure. :)

          What you mean by maybe gateway is broken ?
          It seems to be online with %0 loss.

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Not broken in the sense that it is down/won't pass traffic. Broken in the way it's sending that multicast traffic. It should be received by all ports in the segment if they address the multicast traffic properly. It's not a big deal though since you don't need to use that anyhow. It may be fine anyhow since perhaps your system would need to join the right multicast group to see it. Probably my brain shutting down for the holiday to blame there.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              Crimson11
              last edited by

              :)
              Thanks a lot again.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.