Default IPv4 Block Rule?

I have my virtual pfsense running smoothly I can access the webgui from my main network using aliases (thanks Tom for that tip) no other issues but upon reviewing logs i get a ton of entries on the firewall system log that says

Feb 2 12:16:49 WAN Default deny rule IPv4 (1000000103) 10.10.1.1:51171 239.255.255.250:1900 UDP

When i click the x showing it was blocked it says the below rule blocked it.

The rule that triggered this action is:
@5(1000000103) block drop in log inet all label “Default deny rule IPv4”

Now i can not find said rule anywhere in my firewall rules. This is not breaking anything it merely if anything causes log bloat but I would like to better understand what is happening.

It looks like something on your network is running this

1 Like

Given that this instance is on a private network and running just my VMs is it possible something on my wired network (the 10.10.1.1/24 the WAN side of pfsense) is generating this, if thats the case then its likely a gaming system or something of that nature. If that is the case can i strip this out of the logs? Will log bloat slow the pfsense instance down or is it ok to just let it go.

It’s fine, when you have pfsense as the WAN there are a lot more things being logged, not really a big deal.

Thanks Tom some systems I.E windows can get slow if the logs get full was not sure how pfsense handled it . Back to testing and trying to understand pfsense.

Side Note: XCP-NG far better experience with vms then virtualbox glad i found your videos on it

1 Like

@ajamison, I would create a rule on the WAN interface to explicitly block the IP 239.255.255.250 and don’t log it. Maybe that will clear your logs.

I might try that given i have no devices on my network WAN or LAN side with that address

It’s a multicast address so none of your systems would have that as an assigned IP.

Every firewall has a “default rule” which takes effect on anything that wasn’t matched by another rule, and frequently aren’t shown as a rule, but rather a setting elsewhere. A proper firewall will have this as Default Deny, but most also let you change this. It is best to leave it as Default Deny and explicitly make Allow rules that are narrow to accept specific traffic. As @FredFerrell said, you can create explicit deny rules to clean up the logging. When I am setting up a new business network, part of my process is to watch the firewall logs for a few days to see what we might need to let through between VLANs, and as part of that it helps to block things that clutter the logs.

thank you for helping clear that up I am still learning which is why currently pfsense is just at the edge of my VM network once i get proficient enough to troubleshoot issues i may have I will likely buy a netgate box and upgrade my router

Im glad this has been brought up.

I am trying to allow something through pfsense that is hitting the default deny rule, no mater which Pass rules I add pfsense seems to ignore it and still blocks it.

Any ideas?

OK I keep seeing this problem also

Filter Reload

  • There were error(s) loading the rules: /tmp/rules.debug:45: cannot define table pfB_Europe_v4: Cannot allocate memory - The line in question reads [45]: table <pfB_Europe_v4> persist file "/var/db/aliastables/pfB_Europe_v4.txt"
    @ 2020-02-07 17:23:37

I have upped the Firewall State Tables to 60000 too, and I have made an allow rule form the Firewall Log.

Its still being blocked.

Solved, I had to really up my state tables size.

Fixed.

Why not just run your pfSense as a VM? All 15+ pfSense deployments I manage are all virtual instances.

You must have so serious traffic flows going through your firewall. Is this for your home or work?

Yes this is my home network and right now I seem just trying to get used to pfsense before deploying it as my main router

Nope, Business. I run pfsense at home too though.