NXFilter quando tiro a autenticação minha WAN dispara para o consumo total

[Marco Antonio Hubert]

Bom dia a todos,

Recentemente atualizei para a ultima versão do PFSense e nisso também atualizei a versão do NXfilter, restaurei o backup e a licença do Jahalist para 50 usuários. Nisso quando eu tira a autenticação a minha WAN desse cliente que e de 40MB estoura os 40MB mas a LAN continua funcionando normalmente e também consecutivamente já me aparece mais de 600 IPS no NXfilter, segue imagens:

Obrigado

[Jahastech]

You can see those IPs on 'Logging > Request'. Do you not think they are your LAN IPs?

[Marco Antonio Hubert]

Yes, see below

I don't know if I teeling is correct but, is like WAN is DNS server for others, in config.default and cfg.properties I try used listen_ip = 192.168.1.0/24 after was listen_ip = 0.0.0.0.

[Jahastech]

You are under DNS amplification attack. Drop ANY type queries on 'DNS > Server Protection > Request Type Control > Blocked Request Type ' by adding 255.

And 'listen_ip' is just an IP of your server. So, use the private IP of your server.

But I think your network configuration has some problem if you see the traffic from outside your network.

[Marco Antonio Hubert]

OK I understand but, if I just stop NXfilter that my WAN worked fine but if I started NXfilter and Enable User Authentication is off my WAN worked in 40MB.

[Jahastech]

Don't know what you want. You exposed NxFilter in WAN and disable authentication, that means you allow traffic from outside. As a result, your NxFilter is under attack. And that attack uses ANY type queries which produces heavy traffic. Why did you disable authentication?

[Marco Antonio Hubert]

Sorry if I don't object, I'm not expose my Wan I just do it disable authentication because some users when open your brownser for put user and password  show is blocked and don't have option to put user and password, and I disable authentication for moment for they worked but at this moment I see that problem. For Instalation I follow documentation and I have other clients using NXfilter with AD and don't have this problem because off that I open this discussion.

[Jahastech]

Then one of your PCs got infected with some malware doing DNS amplification attack. It does IP spoofing. So, they are all fake IPs. Just drop ANY type queries as I told you.

And you can associate whole IP range to one user and use it as a default user for everyone if you want.

[Marco Antonio Hubert]

I do it " Drop ANY type queries on 'DNS > Server Protection > Request Type Control > Blocked Request Type ' by adding 255. " and everthing work good now.

Thank you for the patience and your help.

Have a nice day.