Bridge mode causing SMB traffic to fill firewall log

  • Hi,

    I have a pfsense box updated to the latest version.  This box is used for OpenVPN and, to get the OpenVPN to work as we needed it, it was configured in bridged mode.  Subsequently we bridged both the LAN and the OpenVPN interface so that the OpenVPN users could talk to and use resources on the LAN.  Since setting that up our firewall log has been inundated with what appears to be blocked traffic to our samba server over port 445.  The traffic seems to come from both the LAN and the Bridge using Proto TCP:A & TCP:PA.  Some of the traffic is reported to be hitting a default ipv4 rule and some just have a blank box where the reason would normally be.  I cannot figure out why this traffic is being blocked or how to suppress it so that I can see other things that are logged there.

    I have rules setup to allow all traffic generated from the LAN net and to allow all IPv4 traffic on both the Bridge and OpenVPN interface.  No interface has the "block private networks" or "black bogon networks" ticked.

    Any help on this would be greatly appreciated.

    Thanks in advance.

  • It may be out of state traffic if it doesn't seem to match any of your rules."blocked"_for_traffic_from_a_legitimate_connection

  • Thanks for the quick response.

    I looked through that article and while it could very well be something to do with what it is talking about, there doesn't seem to be any way of rectifying the issue.  Also, the data in my firewall log doesn't seem the same as what is shown in that article as some of the traffic I am seeing doesn't state that it's been blocked by a default deny any rule ipv4.

    Another thing I can't understand is why this traffic is ever hitting the firewall, the source and destination addresses on all the hits are physically on the LAN.  To clarify, this is a windows domain with two windows domain controllers used for DHCP & DNS, pfsense is nothing more than a firewall and OpenVPN server.

    It does seem to be misinformation from the firewall as no user has reported any problems accessing the samba drive.

  • LAYER 8 Global Moderator

    Can you post up screen shot of these firewall hits your seeing.  And details of how you bridged your lan to your openvpn - I can think of no reason why that would ever in a million years have to be done to allow access to file shares, etc.

    I access file shares over a normal tun setup where openvpn is on own network different than the lan network.

  • I followed this article to set up my OpenVPN:

    I could not get VPN clients talking to LAN resources without setting it up this way.

    Attached is a screen grab of my firewall log.

  • LAYER 8 Global Moderator

    Did you change your firewalls on your local clients to allow access from a remote network?

    TAP is not a good option.. All broadcast traffic is now over your vpn.. Bridges in general are horrible performance..  Unless you had a specific need for say broadcast traffic to be used there is no reason for tap, and accessing file shares sure doesn't need to be on the same segment.

    So lets see your rules?  Post up rules you have on lan and bridge interfaces in your firewall.  All of that traffic is out of state for sure.  Also you can click the red x to see what rule it was that blocked.. Or better yet just enable the rule to be listed.  In your log settings change it so it displays the rules desc.

    That is dated back from 2012?  So version 2.0.2 at best.. You do understand the vpn wizard would walk you through setting it up in like 30 seconds.  Are you running version 2.0.2?  Or current 2.2.4?

  • I haven't changed any client firewalls at all, the WAN on the pfsense box allows openVPN traffic but that's it.

    When I click the red X half of the entries are blocked by default deny rule IPV4 and the others are blank.  I have already selected the option add pass rule from the firewall but this had no effect and I subsequently deleted those rules.

    I'm starting to think maybe I need to set up a new box and try installing OpenVPN with the wizard on TAP and try and get that working again.  I used the wizard previously with TAP, I couldn't get anything on the VPN to speak with anything on the LAN with that set up either.

    I am currently running 2.2.4.

  • LAYER 8 Global Moderator

    Why do you think you need tap???  You DONT!!! File sharing does not require to be on the same segment.

  • My apologies, please replace TAP with TUN in my last message.

  • LAYER 8 Global Moderator

    don't think you need to setup a new box..  Just redo the vpn connection on this one.

  • I should probably open a new ticket for this but any chance you can point me in the right direction.  I have set up the TUN OpenVPN server and connected to it fine.  I can see some stuff on the LAN network from the VPN tunnel but I can't access the SMB share.  It keeps hitting the firewall despite those rules I have setup allowing traffic over the VPN, I have attached an image of the firewall log.

  • LAYER 8 Global Moderator

    and what are the rules on your vpn tab?  By default I believe its an any any - what did you change it to or add above it?  Did you check to allow netbios over the vpn?

    Enable NetBIOS over TCP/IP
    If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled.