Netgate SG-1000 microFirewall

Author Topic: Why am I seeing this in my Firewall Logs so Often  (Read 588 times)

0 Members and 1 Guest are viewing this topic.

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Why am I seeing this in my Firewall Logs so Often
« on: November 28, 2017, 10:55:58 pm »
See screenshot below.

I have the WAN on igb0. My firewall log is littered with many instances of what you are seeing in the pic.

Is it normal or does it indicate a problem or misconfiguration?

Anyway to stop seeing it in the log?
pfSense v2.4.2 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 385
  • Karma: +32/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #1 on: November 29, 2017, 02:41:48 am »
Looks like something on the WAN side is doing a DHCP request ( its a broadcast ), try doing a packet capture on the WAN interface for port 67.

Create a firewall rule on the WAN interface to block DHCP in and set it not to log or you can disable logging of the default block.
« Last Edit: November 29, 2017, 03:32:54 am by NogBadTheBad »

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #2 on: December 01, 2017, 01:30:02 pm »
I did a packet capture on the WAN port 67 for almost 4 hours. In the end the capture was completely empty.

I checked the firewall logs and it showed several instances occurring on igb0 during the capture however.

After thinking about this I realized even though I set the WAN up on igb0 it is a PPPoE connection which if I understand correctly is a virtual connection right?

Unfortunately it does not allow me to actually choose igb0 to do a packet capture on.

I know my modem is in bridge mode and it hands out a dynamic public ip but at the same time has DHCP still turned on. Could this be what is causing the issue?

Should DHCP on the modem be turned off?
pfSense v2.4.2 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14438
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #3 on: December 01, 2017, 01:34:42 pm »
You should be able to do a sniff from the cli via tcpdump.  You can then see from the sniff the mac of what is doing the dhcp discover.  So you have your modem, which is really a modem and not some gateway directly connected to igb0?

Its possible your seeing dhcp from your ISP other clients - but you shouldn't.  Your modem/isp device should not be asking for dhcp on its lan side interface.. So it is odd that you would be seeing that.  Is it possible you got something else connected on the same L2 between your isp device and pfsense wan interface (igb0)?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #4 on: December 01, 2017, 05:35:46 pm »


You should be able to do a sniff from the cli via tcpdump.  You can then see from the sniff the mac of what is doing the dhcp discover.
Thank you for the suggestion and please excuse my ignorance but what is a cli and how do I use it?

So you have your modem, which is really a modem and not some gateway directly connected to igb0?
I'm not sure I'm following here but the modem is a Bonded Pair DSL Modem/Router. I have one of its LAN ports connected directly to the WAN port of the pfSense box.

Its possible your seeing dhcp from your ISP other clients - but you shouldn't.  Your modem/isp device should not be asking for dhcp on its lan side interface.. So it is odd that you would be seeing that.  Is it possible you got something else connected on the same L2 between your isp device and pfsense wan interface (igb0)?
Nope nothing else connected in between as described above.

I know this forum is just for pfSense but I'll dig out my laptop and plug that into the modem for access to it's webGUI. It came from the ISP with 3 WAN interfaces. They had me bridge just one of the interfaces to get internet and it worked however they were unsure of what to do with the other 2 interfaces. I wonder if those other 2 interfaces have something to do with this issue so I'll take a screenshot of them and post here. May or may not help, not sure.
pfSense v2.4.2 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #5 on: December 01, 2017, 06:37:17 pm »
As promised here some screenshots of the modem settings.

If you see something that should be changed please let me know.

The first pic is of the 3 interfaces. The ADSL is the one my ISP had me bridge.

Second pic is of the ADSL settings.

Third pic is of the  VDSL settings.

Fourth pic is of the ETHWAN settings.

Fifth pic is of the LAN settings.
« Last Edit: December 01, 2017, 07:21:32 pm by tagit446 »
pfSense v2.4.2 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14438
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #6 on: December 02, 2017, 03:17:16 am »
There is server reason for the dhcp server to be running on your "modem"
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #7 on: December 02, 2017, 02:04:34 pm »
I tried "tcpdump -i igb0" in the "Execute Shell Command" and it didn't seem to do anything.

Did I use the wrong command?
pfSense v2.4.2 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14438
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #8 on: December 03, 2017, 05:20:59 am »
your going to want to do that from actual cli or ssh.. not the gui interface..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 385
  • Karma: +32/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #9 on: December 03, 2017, 05:21:12 am »
I tried "tcpdump -i igb0" in the "Execute Shell Command" and it didn't seem to do anything.

Did I use the wrong command?

Try tcpdump -i pppoe0 from the cli as john mentioned

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14438
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #10 on: December 03, 2017, 05:23:02 am »
he can sniff on his pppoe interface from the gui packet capture..  His point was he could not pick the naked interface..

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #11 on: December 03, 2017, 02:17:56 pm »
your going to want to do that from actual cli or ssh.. not the gui interface..

Sorry for sounding ignorant again but I have no idea what the actual cli or ssh is or how to access it if it is not the one in the pfsense webGUI.

Is the actual cli in windows or the pfsense box its self.

My profession is in automotive. I'm a certified advanced level master auto technician. I can fix just about any auto issue and fabricate just about anything but when it comes to pfsense and networking in general I still have a lot to learn, hense the ignorant questions. I have the aptitude to learn this, I just need the proper guidance.

Please be patient with me as I'll need a picture painted for me on this one i'm afraid.

I really need to know where this cli is and what command to execute and any other information that may be relevant.

Thanks
pfSense v2.4.2 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 385
  • Karma: +32/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #12 on: December 04, 2017, 02:49:35 am »
System -> Advanced -> Admin Access

Goto the Secure Shell section and tick Enable Secure Shell

If your running windows on the device your trying to connect from download putty.

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Run putty, click on ssh if its not the default, pop in the ip address and click on open.

If your running OS X there is an inbuild ssh client ssh userid@ip-address or hostname

Once you've connected to pfSense hit 8 ) Shell.
« Last Edit: December 04, 2017, 01:42:47 pm by NogBadTheBad »

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14438
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #13 on: December 04, 2017, 03:15:26 am »
Not a bad question.. cli would be console.. Do you not have access to the console of pfsense?  If its completely headless than yes ssh in per nogbadthebad instructions.

You will then press 8 at the menu to get to the command line and then run your tcpdump command on the interface, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: Why am I seeing this in my Firewall Logs so Often
« Reply #14 on: December 04, 2017, 01:53:04 pm »
Thank you both :)

I have it running in shell.. Lots of information pouring in.

How do I stop it and is it possible to save it?
pfSense v2.4.2 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p