Blocked traffic on LAN via Default deny rule

Started by badchipmunk, November 14, 2020, 01:56:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 14, 2020, 01:56:07 AM
Hi there. I'm seeing a ton of blocked LAN traffic on my FW, where one thing on my LAN is attempting to talk to another thing on my LAN. I cannot for the life of me understand why this is happening.

__timestamp__   Nov 13 17:54:07
ack   386885594
action    [block]
anchorname   
datalen   0
dir    [in]
dst   192.168.1.52
dstport   55240
ecn   
id   31958
interface   em0
interface_name   lan
ipflags   DF
label   Default deny rule
length   40
offset   0
proto   6
protoname   tcp
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
ridentifier   0
rulenr   8
seq   
src   192.168.1.5
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   128
version   4
November 14, 2020, 08:55:59 AM #1
What is your netmask (/24 or 255.255.255.0)?

Just a guess: maybe you configured your switch with port mirroring for some reason?
,,The S in IoT stands for Security!" :)
November 14, 2020, 10:18:07 AM #2
Quote from: badchipmunk on November 14, 2020, 01:56:07 AM
Hi there. I'm seeing a ton of blocked LAN traffic on my FW, where one thing on my LAN is attempting to talk to another thing on my LAN. I cannot for the life of me understand why this is happening.

__timestamp__   Nov 13 17:54:07
ack   386885594
action    [block]
anchorname   
datalen   0
dir    [in]
dst   192.168.1.52
dstport   55240
ecn   
id   31958
interface   em0
interface_name   lan
ipflags   DF
label   Default deny rule
length   40
offset   0
proto   6
protoname   tcp
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
ridentifier   0
rulenr   8
seq   
src   192.168.1.5
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   128
version   4

it's maybe an ACK package for a connection not active anymore in the firewall
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
November 14, 2020, 10:29:06 AM #3
Once-a-month topic: Out-of-state traffic...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 14, 2020, 09:42:58 PM #4
I did have a port mirror set up on a switch which fed to a Security Onion instance,  I disabled that to no avail. In my hunt I also discovered that the MTU I was handing out to my DHCP clients was different than what I had set for my LAN interface, so I set those to be the same, but that didn't seem to do much. Then I went around and just rebooted clients on the network, and that evidently cleared things up. I still see some blocked traffic related to my plex server, but I think that's largely related to the weirdness that needs to be configured to expose that to the interwebs.
Print
Go Up Pages1
User actions