New SG-2440 "randomly?" blocking LAN traffic
-
Need help troubleshooting a LAN issue with my new SG-2440. Worked fine for 3 or so days, then started acting up yesterday.
The router has now seemingly started randomly blocking traffic from the LAN.
First noticed on port 25, also 80/443. Can access a website, then another access times out. When examining the logs, it mostly shows blocks, with some passes. telnet smtp.xxx.com 25 engages mailserver maybe 10% of time.
Only lan rule active for debugging:
IPv4 * LAN net * * * * none Default LAN -> any default ruleUpstream all checks out from ISP and when use outside router.
Re-powered the router
Router is tepid to touch, not overly warm. Is sitting on shelf by itself, not stacked.
Load is nilPeter
-
NAT, no NAT? Any kind of limits in play? Kind of hard to say anything based on the information.
-
NAT in, but that is not the issue here.
Issue is that smtp port 25, http and https get blocked out from LAN some of the time, but not all the time.
Telnetting to WAN mail server on port 25 works some of the time, but is mostly blocked.
Can't figure rime nor reason for the actions.
LAN is completely open. Even tried disabling all packet filtering. No difference.
Solution eludes me.
-
Solution:
- factory default
- reinstall previous config from 4 days ago
- reconfigured to match system prior to implosion
- save working config
Now if I could get back my time. I have no idea what actually went sideways. All the configuration and packages are as before
-
Seems odd, what packages were/are you running?
Steve
-
Snort
OpenVPN Client Export Utility
Service Watchdog (actually this was an experiment, and has been uninstalled)Let me know if you would like other info to help debug.
-
Traffic getting "randomly" blocked and you're running Snort, a package that is insanely paranoid and loves to block traffic because it looked funny. Did you look to see what was causing the blocks?
-
Yep, Snort would be my first suspect here too.
Steve
-
When debugging, one of the first things I did was to turn off Snort. Didn't help the issue of random LAN blocks.
If Snort is on the WAN, how would it have effected the LAN? Snort is currently enabled, with no LAN blocking issues.
Also the first place I noticed the problem was on SMTP port 25 on LAN going to the same ip each time.
Not saying it is not Snort, just don't understand how the interactions of Snort on the WAN and pfSense would produce the issue I was experiencing.
One thing I did notice was that RAM usage was consistently around ~88%, which lead me to think it was a Snort issue in the first place.
Peter
-
Yes, leave Snort off for now. When you say "blocked", are you seeing blocks being logged or are you just saying it doesn't work anymore?
-
With Snort, take a look at the "Blocked Tab" and clear the Blocked Host entries. Just because Snort is disabled, doesn't mean that the pf table 'Snort2c' is empty. So any entry in there will be blocked. The clearing of this snort2c table is managed by the Snort Cron setting to clear out the blocked hosts at a pre-configured interval.
Its always best to run Snort/Suricata in Non-Blocking mode until you work thru the settings and get the Rules configured for your environment, then you can enable Blocking mode. Don't expect to just turn on an IDS and walk away from it… It takes a few weeks of monitoring the Alerts to deal with False Positives.
-
Thanks for the pointers about Snort.
Blocks and passes were observed in logs. Once I noticed the issue, I logged all LAN traffic.
Still not understanding how my LAN traffic would be effected by Snort on the WAN?
Please note that the router is now operating correctly through a reinstall and configuration from previous saved configuration including Snort. Therefore I can not repeat/test. Heavy handed yes, but I needed to get onto real work, not debugging a firewall and not replying to emails, etc for days.
Peter