Understanding the Firewall Logs



  • I'm still learning the ropes for pfSense. Can someone explain why I'm seeing a TON of traffic in my firewall log from the WAN interface, originating from what I understand to be an IP in the private category?

    Any insight is much appreciated.

    EDIT: I should have mentioned that all devices on my network are using the 192 address space, if that helps.



  • That's DHCP is your router trying to assign DHCP on the WAN side? Or is your modem asking for an IP address?



  • @NFSBuff:

    I'm still learning the ropes for pfSense. Can someone explain why I'm seeing a TON of traffic in my firewall log from the WAN interface, originating from what I understand to be an IP in the private category?

    Any insight is much appreciated.

    EDIT: I should have mentioned that all devices on my network are using the 192 address space, if that helps.

    If you mouse hover the red x, that should pop up a ballon with reference to the rule.  I'm guessing it's the default deny rule.  I believe the log is saying "On the WAN interface I blocked traffic from 10.107.64.1, port 67 that was destined for broadcast IP, port 68".  What is the WAN port connected to?
    Port 67 is BOOTP Server, port 68 is BOOTP client.  I'm guessing someone is trying to bootp something and the broadcast replies are hitting your WAN interface.



  • Yes, it does appear to be the default deny rule. (attached screen snip) The WAN port is connected directly to the modem.




  • @NFSBuff:

    Yes, it does appear to be the default deny rule. (attached screen snip) The WAN port is connected directly to the modem.

    That's good.  Did you assign an address to the WAN interface or do you have it doing DHCP?  Basically the traffic is the router responding to a DHCP request.



  • The WAN interface is being assigned an address by my ISP. I double checked my modem, and it is not serving any DHCP requests. The listing of blocks from the 10.107.64.1 address shows that it is blocked every 2-3 seconds continuously. Is there a way to prevent the log from being coming cluttered by this?




  • You can generally disable the logging of the default deny rule in the log settings.
    If you don't want this, add a rule to WAN interface with
    Action = block
    Protocol = UDP
    Source = any
    Source port range = 67 - 68
    Destination = any
    Log = unchecked
    So this if this rule matches a log entry not made.



  • Did some more digging and found this user who is/was experiencing the EXACT issue I'm having.

    https://forum.pfsense.org/index.php?topic=34436.0

    Was jimp's reply referencing special aliases ever implemented?

    EDIT: Nevermind! Found what I was looking for: Status > System logs > Settings, uncheck "Log packets blocked by 'Block Private Networks' rules." ….I need to RTFM more thoroughly...


Log in to reply