Random unrelated addresses on pvefw logger

I

isaacntk

Member
Jul 13, 2020
19
2
23
29
Hi, a security group I set up is blocking and logging some traffic that doesn't make sense to me, I'm wondering if anyone knows why its happening.

The source seems to be 1.1.1.1 and destination is my phone. My router is a separate device and DHCP is also from the router, so I don't understand why its appearing on the PVE firewall. I also don't understand why 1.1.1.1 which is probably cloudflare has incoming traffic to a device on my network via port 443 lol

The internal_only security group is applied to some of my virtual machines/containers, not sure how its affecting traffic that doesn't interact with proxmox

Code: 
pvefw logger
0 6 GROUP-internal_only-IN 29/Aug/2022:02:08:03 +0800 IN=fwbr209i0 OUT=fwbr209i0 PHYSIN=fwln209i0 PHYSOUT=veth209i0 MAC=<mac> SRC=1.1.1.1 DST=192.168.0.103 LEN=79 TOS=0x00 PREC=0x00 TTL=60 ID=16427 DF PROTO=TCP SPT=443 DPT=60430 SEQ=37333883 ACK=678819274 WINDOW=4 ACK PSH
0 6 GROUP-internal_only-IN 29/Aug/2022:02:08:03 +0800 IN=fwbr201i0 OUT=fwbr201i0 PHYSIN=fwln201i0 PHYSOUT=veth201i0 MAC=<mac> SRC=1.1.1.1 DST=192.168.0.103 LEN=79 TOS=0x00 PREC=0x00 TTL=60 ID=16427 DF PROTO=TCP SPT=443 DPT=60430 SEQ=37333883 ACK=678819274 WINDOW=4 ACK PSH
0 6 GROUP-internal_only-IN 29/Aug/2022:02:08:03 +0800 IN=fwbr206i0 OUT=fwbr206i0 PHYSIN=fwln206i0 PHYSOUT=veth206i0 MAC=<mac> SRC=1.1.1.1 DST=192.168.0.103 LEN=79 TOS=0x00 PREC=0x00 TTL=60 ID=16427 DF PROTO=TCP SPT=443 DPT=60430 SEQ=37333883 ACK=678819274 WINDOW=4 ACK PSH
0 6 GROUP-internal_only-IN 29/Aug/2022:02:08:03 +0800 IN=fwbr205i0 OUT=fwbr205i0 PHYSIN=fwln205i0 PHYSOUT=tap205i0 MAC=<mac> SRC=1.1.1.1 DST=192.168.0.103 LEN=79 TOS=0x00 PREC=0x00 TTL=60 ID=16427 DF PROTO=TCP SPT=443 DPT=60430 SEQ=37333883 ACK=678819274 WINDOW=4 ACK PSH
0 6 GROUP-internal_only-IN 29/Aug/2022:02:08:03 +0800 IN=fwbr204i0 OUT=fwbr204i0 PHYSIN=fwln204i0 PHYSOUT=veth204i0 MAC=<mac> SRC=1.1.1.1 DST=192.168.0.103 LEN=79 TOS=0x00 PREC=0x00 TTL=60 ID=16427 DF PROTO=TCP SPT=443 DPT=60430 SEQ=37333883 ACK=678819274 WINDOW=4 ACK PSH
 
Did you ever figure out what's happening here? I'm seeing similar entries in my firewall log.

My best guess is that these are frames flooded by the upstream switch when it doesn't have an entry in its MAC address table.

I haven't yet had a chance to test this theory and reproduce the issue, but if it's correct, I wonder if these can be dropped before IP filtering?
 
  • Like
Reactions: sysf
sysf said:
Did you ever figure out what's happening here? I'm seeing similar entries in my firewall log.

My best guess is that these are frames flooded by the upstream switch when it doesn't have an entry in its MAC address table.

I haven't yet had a chance to test this theory and reproduce the issue, but if it's correct, I wonder if these can be dropped before IP filtering?
Click to expand...
Never did, I still have random logs of traffic between the internet and local physical devices that are unrelated to proxmox and its VM/CTs, but it hasn't seemed to cause any issues so I've just let it be

nunner said:
This might be DNS over HTTPS[1] traffic?

[1] https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/
Click to expand...
Maybe I don't understand DoH enough, but I don't see why Cloudflare would be sending requests to my phone via port 443 as part of a DoH request? Shouldn't the direction of the traffic be reversed if my phone was querying Cloudflare DNS?

Also, I don't think a connection between Cloudflare and a phone on the same network should be managed by pvefw? I don't have any VMs that act as routers (e.g. pfsense) on proxmox
 
isaacntk said:
Never did, I still have random logs of traffic between the internet and local physical devices that are unrelated to proxmox and its VM/CTs, but it hasn't seemed to cause any issues so I've just let it be


Maybe I don't understand DoH enough, but I don't see why Cloudflare would be sending requests to my phone via port 443 as part of a DoH request? Shouldn't the direction of the traffic be reversed if my phone was querying Cloudflare DNS?

Also, I don't think a connection between Cloudflare and a phone on the same network should be managed by pvefw? I don't have any VMs that act as routers (e.g. pfsense) on proxmox
Click to expand...

This is normal. If your device establishes a connection to a host on a given port, the host will respond from that same destination port. The source and destination ports are switched when 1.1.1.1 responds from port 443 to your phone on port 60430. Here you are seeing the reply from 1.1.1.1, but not the original request. You can check this yourself by taking a packet capture while, for example, browsing the web.

Regarding this issue, I ran a test by disabling MAC learning on my switch and then verifying from another host that it could see all frames on the network being flooded by the switch. Despite this, I did not see a single new entry in the Proxmox firewall logs, so I'm back to square one here and don't understand what is going on. If it helps at all, I am using a MikroTik switch, but I don't believe there is anything unusual about my configuration.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom