Rule "Block private networks", Logging?



  • I have an Interface WAN_IPTV on the WAN side which has "block private networks" activated. In the firewall rules I can see a corresponding rule.

    My modem (Allnet All0333CJ) seems to send service discovery requests to my pfSense: I see blocked packets in the firewall log like this:

    Apr 27 11:08:53	 WAN_IPTV	      172.16.1.254:2048	      239.255.255.250:1900
    

    172.16.1.254 is the address of the modem. My understanding is that because this an address from an RFC1918 network this gets blocked by the above rule.

    So far so good.

    However I get 22 log entries every 4 minutes which I would like to avoid. The above mentioned rule does not have logging enabled.

    So where do these log entries come from and how can I avoid these?

    -flo-



  • I guess it's blocked by default rule (no user rule applicable) and you have activated logging packet blocked by default rule:
    Status: System logs: Settings: "Log packets blocked by the default rule"
    Look at this.

    It makes sense to activate "Filter descriptions" to be shown as column in firewall logs on Log settings tab, so you can see the applied rule.

    As I want to see packet blocked by default rule for present I have set up a floating rule to block this multicasts without logging and name it "bothersome multicasts".  ;D



  • Thank you viragoman! That works. I was not aware of the description column. I was always missing something like this.

    -flo-



  • Just for the archives: After a while these entries appeared in the firewall log again. Apparently the modem does not create this traffic as regularly as it appeared at first.

    So creating a floating firewall rule actually did not solve the problem. Why not?

    The reason is quite interesting: I have 2 VLANs on the WAN side: WAN (VLAN7) and WAN_IPTV (VLAN8). The traffic from the modem did not come with VLAN tags however. This means that the traffic did not actually come in on one of the defined interfaces. pfSense blocked the traffic not because of the new rule but because of the default block rule. In the log it appeared as if the traffic came in on that interface.

    Whether or not this is a bug in pfSense is probably a matter of point of view. It surely is misleading.

    The solution was simple: I created an interface MODEM on the WAN nic just to be able to create a floating firewall rule for it. That did the job.