@tom__w How exactly are you scanning.. here is theory..
So your pfsense network is say 192.168.100/24 and your client say 192.168.100.42 for example you say hey scan for 192.168.68.0/24 this traffic since not on the 192.168.100 network would be sent to pfsense say looking for 192.168.68.100 as one of the IPs..
Pfsense says well shoot, I don't have a 192.168.68 network attached to me, send it out my default gateway - your ISP.. Your isp may very well have devices on its network in this rfc1918 space 192.168.68, which could in turn answer say a ping..
So no they are not your devices - they are some devices out on your isp network.
edit: example of this... Somewhere in my ISP network 10.0.0.1 answers
C:\>ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=39ms TTL=249
Reply from 10.0.0.1: bytes=32 time=36ms TTL=249
If I traceroute to it
C:\>tracert -d 10.0.0.1
Tracing route to 10.0.0.1 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.9.253
2 11 ms 11 ms 10 ms 209.122.32.1
3 18 ms 12 ms 11 ms 216.80.79.9
4 37 ms 36 ms 38 ms 207.172.18.134
5 36 ms 36 ms 38 ms 207.172.19.124
6 36 ms 37 ms 53 ms 207.172.19.91
7 38 ms 36 ms 41 ms 10.0.0.1
it is somewhere on my isp network, or my ISP network is routing rfc1918 outside their network when they shouldn't
But looks to be connected in their network somewhere, if I resolve the IPs in my trace
1 <1 ms 1 ms 1 ms sg4860.local.lan [192.168.9.253]
2 12 ms 13 ms 19 ms c3-0.rol-e6k1.nape.il.cable.rcn.net [209.122.32.1]
3 11 ms 11 ms 11 ms static.rcn.com [216.80.79.9]
4 40 ms 36 ms 38 ms hge0-0-0-7.core2.chgo.il.rcn.net [207.172.18.134]
5 36 ms 35 ms 35 ms hge0-0-0-4.core1.lnh.md.rcn.net [207.172.19.124]
6 56 ms 36 ms 38 ms hge0-0-0-0.core1.phdl.pa.rcn.net [207.172.19.91]
7 59 ms 35 ms 38 ms 10.0.0.1
Looks like the device is some core router in the Philadelphia PA location. or attached to it, could very well be say a loopback address on this device? It is not uncommon to see rfc1918 in a trace through your ISP network, when some devices is setup to answer from loopback. Or even actual interface IP in their network - nothing saying an ISP can't use rfc1918 space as transit networks in their network.
I normally run this rule as outbound floating rule to prevent such things. Just being a good netizen - there is little reason to send rfc1918 out to my isp.
outboundrfc1918.jpg
I had to disable it to find something out on my isp that was rfc1918 and answered.
edit2: hints that is not on your network, if the response time is higher than just a few ms, its prob not on your network ;) Also see the ttl of that ping above its 249, that isn't a local or even 1 hop sort of ttl. If you ping something local the ttl should reflect that there was no hops to get there.
Reply from 192.168.9.10: bytes=32 time=1ms TTL=64
Notice when I ping something on another network attached to pfsense
Reply from 192.168.3.32: bytes=32 time=2ms TTL=63
See how the ttl has been reduced by 1, this tells me there was 1 hop to get to that device..
