Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New SG-2440 "randomly?" blocking LAN traffic

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 5 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      PSprague
      last edited by

      Need help troubleshooting a LAN issue with my new SG-2440.  Worked fine for 3 or so days, then started acting up yesterday.

      The router has now seemingly started randomly blocking traffic from the LAN.

      First noticed on port 25, also 80/443.  Can access a website, then another access times out.  When examining the logs, it mostly shows blocks, with some passes.  telnet smtp.xxx.com 25 engages mailserver maybe 10% of time.

      Only lan rule active for debugging:
      IPv4 * LAN net * * * * none   Default LAN -> any default rule

      Upstream all checks out from ISP and when use outside router.
      Re-powered the router
      Router is tepid to touch, not overly warm.  Is sitting on shelf by itself, not stacked.
      Load is nil

      Peter

      1 Reply Last reply Reply Quote 0
      • M Offline
        mer
        last edited by

        NAT, no NAT?  Any kind of limits in play?  Kind of hard to say anything based on the information.

        1 Reply Last reply Reply Quote 0
        • P Offline
          PSprague
          last edited by

          NAT in, but that is not the issue here.

          Issue is that smtp port 25, http and https get blocked out from LAN some of the time, but not all the time.

          Telnetting to WAN mail server on port 25 works some of the time, but is mostly blocked.

          Can't figure rime nor reason for the actions.

          LAN is completely open.  Even tried disabling all packet filtering.  No difference.

          Solution eludes me.

          1 Reply Last reply Reply Quote 0
          • P Offline
            PSprague
            last edited by

            Solution:

            1. factory default
            2. reinstall previous config from 4 days ago
            3. reconfigured to match system prior to implosion
            4. save working config

            Now if I could get back my time.  I have no idea what actually went sideways.  All the configuration and packages are as before

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Seems odd, what packages were/are you running?

              Steve

              1 Reply Last reply Reply Quote 0
              • P Offline
                PSprague
                last edited by

                Snort
                OpenVPN Client Export Utility
                Service Watchdog (actually this was an experiment, and has been uninstalled)

                Let me know if you would like other info to help debug.

                1 Reply Last reply Reply Quote 0
                • H Offline
                  Harvy66
                  last edited by

                  Traffic getting "randomly" blocked and you're running Snort, a package that is insanely paranoid and loves to block traffic because it looked funny. Did you look to see what was causing the blocks?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Yep, Snort would be my first suspect here too.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      PSprague
                      last edited by

                      When debugging, one of the first things I did was to turn off Snort.  Didn't help the issue of random LAN blocks.

                      If Snort is on the WAN, how would it have effected the LAN?  Snort is currently enabled, with no LAN blocking issues.

                      Also the first place I noticed the problem was on SMTP port 25 on LAN going to the same ip each time.

                      Not saying it is not Snort, just don't understand how the interactions of Snort on the WAN and pfSense would produce the issue I was experiencing.

                      One thing I did notice was that RAM usage was consistently around ~88%, which lead me to think it was a Snort issue in the first place.

                      Peter

                      1 Reply Last reply Reply Quote 0
                      • H Offline
                        Harvy66
                        last edited by

                        Yes, leave Snort off for now. When you say "blocked", are you seeing blocks being logged or are you just saying it doesn't work anymore?

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B Offline
                          BBcan177 Moderator
                          last edited by

                          With Snort, take a look at the "Blocked Tab" and clear the Blocked Host entries. Just because Snort is disabled, doesn't mean that the pf table 'Snort2c' is empty. So any entry in there will be blocked. The clearing of this snort2c table is managed by the Snort Cron setting to clear out the blocked hosts at a pre-configured interval.

                          Its always best to run Snort/Suricata in Non-Blocking mode until you work thru the settings and get the Rules configured for your environment, then you can enable Blocking mode. Don't expect to just turn on an IDS and walk away from it… It takes a few weeks of monitoring the Alerts to deal with False Positives.

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • P Offline
                            PSprague
                            last edited by

                            Thanks for the pointers about Snort.

                            Blocks and passes were observed in logs.  Once I noticed the issue, I logged all LAN traffic.

                            Still not understanding how my LAN traffic would be effected by Snort on the WAN?

                            Please note that the router is now operating correctly through a reinstall and configuration from previous saved configuration including Snort.  Therefore I can not repeat/test.  Heavy handed yes, but I needed to get onto real work, not debugging a firewall and not replying to emails, etc for days.

                            Peter

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.