The pfSense Store

Author Topic: Lots of blocked packets from LAN segment to WAN  (Read 202 times)

0 Members and 1 Guest are viewing this topic.

Offline nleaudio

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Lots of blocked packets from LAN segment to WAN
« on: November 04, 2017, 12:44:13 am »
Hi Guys,

I'm sure this has been beat to death before, and I have read the stock answers about Out of State Packets, but I am seeing what seems to be an inordinate amount of blocked packets on the latest PF Sense install that I did.  The vast majority of the packets are DNS lookups, or SIP control packets going out to the VOIP provider.  Note that the VOIP system does seem to work, although call quality sometimes is a bit spotty.  I do have several LAN subnets set up as VLANs, but for the most part they are all just allowing everything out.

PF Sense version: 2.4.1-RELEASE (amd64)
built on Sun Oct 22 17:26:33 CDT 2017
FreeBSD 11.1-RELEASE-p2

WAN Firewall Rules:
  Block private networks,
  Block bogon networks,
  Allow all ICMP from anywhere to anywhere

LAN Firewall Rules:
  Allow ipv4 anything from anywhere to anywhere

So pretty basic config - other LAN subnets are configured the same, with a few specifically blocked from other VLANs.
Where I am seeing the blocks are not subnet to subnet traffic, but outbound traffic (that should be unrestricted).

Here's a little sampling of the firewall log:

   Nov 4 01:07:13    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:16    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:54699      64.132.94.250:53      UDP
   Nov 4 01:07:17    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:19    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:39434      4.2.2.2:53      UDP
   Nov 4 01:07:21    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:22    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:23    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:25    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:40104      216.136.95.2:53      UDP
   Nov 4 01:07:25    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:29    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:30    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:54699      64.132.94.250:53      UDP
   Nov 4 01:07:33    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:39434      4.2.2.2:53      UDP
   Nov 4 01:07:33    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:37    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:39    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:40927      216.136.95.2:53      UDP
   Nov 4 01:07:41    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:42    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:43    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:44    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:50883      64.132.94.250:53      UDP
   Nov 4 01:07:45    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:5060      69.54.92.156:5060      UDP
   Nov 4 01:07:47    VOIP_VLAN10    Default deny rule IPv4 (1000000103)    10.10.2.10:40146      4.2.2.2:53      UDP

This is actually pretty light - I've seen it where there are 20-30 of these per second.  Things are quiet tonight :-)  10.10.2.10 is the Asterisk VOIP server.

Thoughts?

Bob

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14295
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Lots of blocked packets from LAN segment to WAN
« Reply #1 on: November 04, 2017, 02:57:10 am »
Doesn't look like lan to me.. Looks clearly like VOIP_VLAN10

Post up your Rules and you sure that this vlan is hitting the correct interface..

That is UDP.. So is your allow rule only TCP?  Please post up screenshots of rules on interfaces.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline nleaudio

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Lots of blocked packets from LAN segment to WAN
« Reply #2 on: November 07, 2017, 11:35:02 am »
I did post the rules.. the VOIP_VLAN10 is what I am calling the LAN... The firewall rules for VOIP_VLAN10 allows all protocols from anywhere out to anywhere. 
And yes, I have verified this is the correct interface.

Bob


Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2195
  • Karma: +202/-12
    • View Profile
Re: Lots of blocked packets from LAN segment to WAN
« Reply #3 on: November 07, 2017, 11:44:00 am »
Can we see the actual rules, like a screen shot, on VOIP_VLAN10?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14295
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Lots of blocked packets from LAN segment to WAN
« Reply #4 on: November 07, 2017, 02:45:48 pm »
I don't see any posting of rules I see this

LAN Firewall Rules:
  Allow ipv4 anything from anywhere to anywhere

That doesn't mean anything.. That is your interpretation of what you believe is set, etc.  Whats the saying Pics or it didn't happen ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)