WAN firewall - How much traffic is typical to block?

First off, I am new to pfSense. I have been playing with it for a bit and I am mostly comfortable using it. I have installed pfSense + pfBlockerNG + snort (no blocking yet).

I finally moved my pfSense machine to between the modem and wireless AP/router. More testing is due, but mostly works fine.

The issue is when I checked the firewall logs after the move, I saw that the 50 lines were filled in about 5 minutes with blocks to the WAN. I have since increased log to 500 lines to see (slightly) bigger picture. Now, in about 5 minutes I typically get 15 (+/- a few) blocks. Meaning about 180/hr or over 4000/day blocks. I have checked some of the IP addresses and saw most were coming from the Russian Federation (with St Petersburg area being the MOST common). I also saw some from China, Vietnam, France, east and south Africa, and the Netherlands. There are some single hits, but usual a sequence of 4 to 10 hits. These hits can be from a single IP/port combo, single IP/multiple ports, or varying IPs (4th set of numbers varies, but still in range according to a Who’s IP lookup.) /multiple ports.

Is this hit rate typical, high, or low?
Should I be concerned? Just let pfSense deal with it or do something more?

Going off the top of my head that count does seem high although that scenario is standard , did you used to have any equipment on that IP with open ports?

Only if the vast majority were concentrating on one port would I be worried.

I just had a consumer grade Netgear router/wireless ap. So, minimum firewall capability.

The internet is noisy because there are so many automated systems out there scanning. As long as you don’t have any ports open that they are looking for then you should be fine.

1 Like

The router/ap only logged about 20 hits/hr. Sort of lolled me in to a false sense of security. The hit rate on the pfSense machine just proves how bad of a job the old one was doing.

LOL when I finally got PfSense operational I was shocked to see the amount of blocked attempts. Now I have a widget on the dashboard which show it happens 5 or 6 times a minute. Currently I have a static WAN IP i was debating if it was worth switching back to dynamic. Plus they probe some really random ports.

I use pfSense for my cloud hosting and I see it all the time. For my W2 job I see thousands a minute in my IPS. Whitelist as granular as you can, but make sure you have backups.