Hi, Why I got too many IP loaded and I am not using any internet.
Sorry about noob question,
I got too many IP loging to my pfsense. showed in pfTop, My WAN block ALL and LAN: TCP - LAN net 80, 443 to Des any. LAN address 53/UDP
My WAN Rules
And my LAN Rules
Please help me.
whats your concern those look like 80,443 and 53 to me..
First thanks a lot for your answer, My question is: Why I got too many IP in the pfTop. I mean I did not use any port or anything in my computer.
And how can I fixed that?
My Rules - for LAN go to web by ports: 80 | 443 | 53
KOM last edited by
I still don't know what your real problem is. That state dump shows you have two systems, 172.16.0.1 and 172.16.1.12, and they are talking to another system on your LAN (172.16.1.9) and the outside world. All of the traffic is either HTTP, HTTPS or DNS. Your firewall rules need some cleanup.
Hi KOM thanks for your answer:
Yes that was the problem: 172.16.0.1 and 172.16.1.12, and they are talking to another system on your LAN (172.16.1.9) and the outside world.
I did not using anything and I checked on windows monitor network nothing going out with my action. and how do they talking to outside word ? (Automatic ?) I really don't understand.
If I am going to some website or connect somewhere. that fine cos i am using something, But I am not and I got too much IP talking to my network system. More than 40 IPs talking…
All my LAN Rules are correct? Yes something wrong please show me how to fix.
Thanks a lot guys.
KOM last edited by
I still don't understand. Are you saying that you have no idea about these systems using the IP addresses 172.16.0.1, 172.16.1.12 and 172.16.1.9? They are on your network.
More than 40 IPs talking…
Three local IPs talking to the Internet in general. Only the Source is important here, since that's where the traffic is coming from.
Yes something wrong please show me how to fix.
All rules (except Floating Rules) are process top-down, first-match. So if you have a Block All rule and under that you have other rules, those rules will never, ever be triggered. WAN Net is not the entire Internet, just the subnet that your WAN IP address belongs to. Finally, all interfaces have a hidden Default Deny rule that you can imagine being at the very bottom of the rules list, so you don't need to explicitly add a block rule at the bottom. Your WAN rules, you could delete all but the first rule and get the same results. Block rules should always come before allow rules.
So for example if you have any software that checks in, dropbox for example. Windows update, antivirus.. Any other software that might be phoning home for lic or updates, etc etc.. And to get to these sites they would have to use dns ;)
Also those are states does not mean those connections are ACTIVE at this second.. So for example that one address
Looks to be something with kaspersky - you run their antivirus?? I show a PTR of that IP address of ksn2.kaspersky-labs.com
Yes I do, Kaspersky and update windows. That all I got in this computer. no software, nothing…
That why I dont know so funny.
and look again 2 picture in 1 page.
i mean the Destination - I can see here too much IP in DEST when i show in pftop. That why I don't understand. can You see in the picture?
and this in 1 page not 2 pages
Thanks a lot man.
I check on IPTOOLS.
Got some IP from Japan, HK, Us, Uk, Sing, Vn…v...v... and more, more country. But I am not have too much like that software. this is the one pc for test with pfsense lab.
All my Rules in WAN and Lan is correct ?
I am not sure that why I come to ask. So sorry for NOOB question.
And thanks a lot for your answer.
yeah I see the pictures.. what do you not understand about states and listings.. Many of them are 53, so DNS connections
Why don't you sniff and see what that dns traffic is.. On the interface of pfsense, that IP is connected to sniff for port 53 udp and wait for a bit and then download it and view it in wireshark and you will see exactly what is being asked for, etc.
If you have Kaspersky running, it goes to a lot of different places to get updates for the definitions. It will use both HTTP and HTTPS (80&443) to get them. I have it running on a few Windows machines and see similar amounts of connections. You can always hit google with "whois IP" like whois 18.104.22.168 and get information on the destination IP. Off the top of my head the 62. and 96. are very likely to be Kaspersky servers.
Is 172.16.0.1 a machine or pfsense interface? if running a resolver it will query many different dns since it is looking them up from roots and then walking down the tree until it gets to the actual authoritative server for that domain, etc.
Thanks a lot for your guys answer. I understand more but how about now my last question in this post.
Why now in my pfTop now only have 5 communicate only? Why they dont communicate like a lot IP look like before ?
NOW ALL Good nothing communicate in my pfTop. I mean from the first time I post this it a lot IP ~ 40 IP maybe. now only 4 sometime 5.
And could you guys please help me answer my last question: My WAN and LAN Rules are correct ?
MANY MANY THANKS
Without knowing exactly what you want to do, it's hard to say.
On the WAN interface, out of the box it's "default deny", so you shouldn't need any block rules on it. It is also "first match wins" in the user defined rules.
You are allowing inbound NTP: are you running a public NTP server that you want others to access? If not, you should disable that rule.
Your block all rule before your other 2 block rules means they don't get processed.
On the LAN interface out of the box, it's "allow everything" by default, so you can probably do just block rules unless you want to restrict traffic from LAN to 80, 443 and 53(to LAN side of pfSense).
Not sure if you posted the full set, looks like there might be something above what you posted. And agree with mer not really understanding your ntp rule. Especially without any dest address on your wan?
I don't see how that rule would make any sense.. Then the 3 other blocks below that are all pointless, unless you wanted a rule to block traffic and not log via the default block logging rule. If you don't want that logging why not just turn off logging, unless you wanted it logging on your other interfaces? But those 2 blocks under your first block on your want are completely pointless.
And then your 2 block rules on lan also make little sense.. Unless you were wanting to log them and had disabled default logging?