Confusion about LAN address on PFsense FW Log



  • Hi,

    I am confused about some logs on PFSense.
    My network is like this:
    BT OPenreach <-> PFsense <-> Router <-> 3 ports to 3 different LANs
    between the PFsense and the router there is only a single connection  with 2 IPs, one on PFSense LAN port the other on the Gateway "WAN" port.
    The LAN interface of PFSense is 192.168.10.10
    The WAN interface on the router is 192.168.10.11
    The router LAN interface have 3 ports on 3 different LANs 192.168.1.X , 192.168.2.X and 192.168.3.X

    Checking PFsense FW logs I see some dropped packages which should not be there (at the moment I am assuming that it is linked to this link:https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection and I am not worried about, please let me know if I should).
    but my question is regarding to the network it is dropping the packages.

    On the FW logs, I see packages dropped from all this IPs (192.168.10.11, 192.168.1.X, 192.168.2.X and 192.168.3.X).

    I am lost on how this play together. I had the impression that only packages with IP 192.168.10.11 would be seen by PFsense, but he is also checking/see IPs from the networks behind the router.
    Is this correct? what is the expected behavior here?

    Also, if a plug a server on, let say, 192.168.1.100, what is the port forwarding I should use on PFS? directly the IP/port of the server, or should I forward to the WAN port of the router, and then "re-forward" to the right place?

    thanks!

    Luis



  • Start by making sure your WAN and LAN networks are not the same. You will not be able to route traffic correctly with this configuration. Make you LAN address range something different, such as 10.10.0.0/24 or set you WAN address range to that instead. If you're still having problems after you make this change, post again with a diagram showing your network layout in full, including all addresses and connected devices.



  • HI,

    thanks for the feedback.
    Please have a look on the attached file (simple MSPAINT .JPG  –> sorry for that, but was the best i could arrange).

    what draws my attention is that the Firewall (on PFsense) is showing logs from IPs behind the ubiquiti router (print screen attached too)

    I would expected to see only logs from 192.168.10.11 (router WAN port) OR only from the LANs of the gateway (192.168.1.0, 192.168.2.0, 192.168.3.0).

    My confusion is that PFsense blocks some packages from BOTH LANs (192.168.10.11 AND 192.168.1.0, X.X.2. and X.X.3.0).
    I was not expecting to see packages from 192.168.1.X (and 2.X and 3.X) on the 192.168.10.0 network.

    Everything seems to be working fine from the user perspective, but I am confused about the logs on PFsense and thos block packages from those IPs.

    thanks!



    ![fw prt scr.jpg](/public/imported_attachments/1/fw prt scr.jpg)
    ![fw prt scr.jpg_thumb](/public/imported_attachments/1/fw prt scr.jpg_thumb)



  • Looks like the classic "out of state packets". PFSense will always drop packets if the states does not exist. PFSense is a stateful firewall and enforces proper TCP state build-up and  tear-down. My guess is you have some mobile or tablet devices on your network.



  • Hi Harv,

    It might be out of state, yet. but the thing is: there is no mobile device on the LAN 192.168.1.X. not a single (there is no AP on that Network).

    anyway, my main concern is about the networks itself (and not about the drop packages).

    I dont understand how PFsense got packages from 192.168.10.11 and 192.169.1.42.

    any clues?

    tks!

    luis


  • LAYER 8 Global Moderator

    your not natting??  Would be the first suggestion.. If you were natting then no there should be no 192.168.1,2,3 IPs that pfsense should see.

    But to be honest in such a setup what point  does the unifi router serve??  Why don't you just connect these network direct to pfsense?



  • Hi,

    YES! there is a NAT there  ??? that is also I found very weird!

    I though about to connect everything directly to PFSense, but at the moment, PFSense is running on a brand new Atom525 build only for this, with only 2 NIC (from Intel).
    Also the Ubiquiti router have  PoE port that supply 24V to an Ubiquiti AP.

    I was thinking to disable NAT and have the router like as a PoE passthru only, once I found those packages "lost" there, so before I touch anything else I am trying to understand what is going on here…

    I have no clue where to look further...

    tks!

    Luis


  • LAYER 8 Global Moderator

    How do you have it wired?  You sure pfsense is connected to WAN port of the unifi router… If your saying those other networks then your connected at layer 2, and or unifi is not natting..

    Why don't you just use the unifi poe injector to supply power to your AP, or what model is that unifi router - does it have switch ports or just all interfaces for routing?  Why not just get a normal switch or one of their switches if all you need poe.



  • Hi John,

    I am deadly sure :)

    the wires are exactly like show on the diagram that I previously attached.

    Internet <– 1cable --> BT modem <-- 1 cable from BT modem to PFSense WAN --> PFSense <-- 1 cable from PFSense LAN to Router WAN --> router <-- 3 cables, 1 for each interface --> 3 different networks, with 3 different cables.

    the router is the Edgerouter X.

    the router config is eth 2 as WAN port, with DNS masquerade
    eth 0, 1 and 3 as LAN port, each one with its own IP scheme.

    I had the switch before i built the PFsense, so it was used for that reason too.

    I just dont understand those packages on the FW itself :( sound very weird to me.

    thanks for any hints!

    Luis


  • LAYER 8 Global Moderator

    Well your blocks from 10.11 are just out of state packets..

    But that traffic I agree with you from 192.168.1.42 be it in state out of state should not be there..  So you have problem with our unifi router not doing nat if its sending traffic out on the 192.168.10 network without natting it..

    You should bring it up on the unifi forums..  Pfsense has nothing to do with that at all.



  • Hi John,

    thank you very much!
    I was looking for a second opinion, as I also believe it makes no sense.
    I will open a thread on unifi!

    very appreciated!  :)

    Luis



  • Perhaps it would be making more sense to insert behind the pfSense a normal LAN Switch
    likes the Cisco SG200 or SG300 series and set it up as normal and common. Why creating
    a dual homed bastion host or router cascade if this is not really needed here?

    Also a smaller Switch with 5 GB LAN ports would be sufficient if it will be supporting VLANs.

    Alternatively you could also do only SPI/NAT at the WAN port from the pfsense and disable NAT
    at the "WAN" port at the UBNT router so that you are using plain routing there, then this problems
    will be gone.


  • LAYER 8 Global Moderator

    In a home/smb setup it makes no sense to use a downstream router.. If you need more interfaces on pfsense then add them or use vlans.  I just don't see the need for downstream routing or even worse double natting.

    If you want to leverage your unifi router for its poe, ok sure I guess - just disable its nat feature and create your routers to your downstream router via a transit network..  But as mentioned a switch would be better choice.


Log in to reply