Need help with Design
-
Exactly it only moves it somewhere else.
-
Ok, sure but I don't understand why I am seeing traffic with External IPS on my WAN interface,
This is NATed, I should only see 192.168.1.1 and 192.168.1.2?
Its showing as a HOST on the WAN interface.
Thanks
-
Mmm, that's fun!
That's a Huawei MAC address. I would expect that to be the 4G routers WAN interface?
I would not expect to see that on the LAN side. Something buggy/poorly configured there.
pfSense doesn't care though it will just block it.
Steve
-
@stephenw10 that's on pfSense WAN interface.
I think something suspicious is going on tbh
-
Right it's on the internal side of the 4G router, where I would not expect to see the public IP.
-
@stephenw10 exactly. Should I be worried?
-
Not excessively because pfSense will just block it anyway. It implies that the 4G router is doing something it shouldn't. Hanlon's razor dictates it's probably just buggy firmware.
Steve
-
@stephenw10 but it's possible if the huwawei is compromised, then everything is going through it is vaulnarable to being intercepted?
Thus, why I don't like it being an upstream gateway rather then being in bridged mode, it's another node sitting on my WAN interface which I cannot intensively monitor.
-
@deanfourie said in Need help with Design:
@stephenw10 but it's possible if the huwawei is compromised, then everything is going through it is vaulnarable to being intercepted?
Sure. And modified if it's plaintext (e.g., DNS responses). This is why I suggest using some form of secure DNS (e.g., DNS over TLS) and a VPN.
Thus, why I don't like it being an upstream gateway rather then being in bridged mode, it's another node sitting on my WAN interface which I cannot intensively monitor.
Agree. Alas many ISPs won't let you use bridged mode and/or require you to use their equipment.
-
This was pulled from my logs today.
Mar 3 09:17:33 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9
Mar 3 09:17:34 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9
Mar 3 09:17:35 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9They are everywhere
Mar 3 14:17:34 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9
Mar 3 14:17:35 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9
Mar 3 14:18:00 sshguard 69810 Exiting on signal.Mar 3 15:11:05 arpwatch 94050 bogon 0.0.0.0 78:24:af:36:1a:08
Mar 3 15:11:06 arpwatch 94050 bogon 0.0.0.0 78:24:af:36:1a:08
Mar 3 15:11:07 arpwatch 94050 bogon 0.0.0.0 78:24:af:36:1a:08
Mar 3 15:11:08 arpwatch 94050 bogon 0.0.0.0 78:24:af:36:1a:08and the list goes on
Also, I cannot change the LAN subnet mask? What is up with this router? I've never seen that before.
-
This post is deleted! -
Ok, so this is starting to look a little bit strange. In ntopng I have devices that are appearing as ghost hosts, and this moves around between devices. This is not a simple network misconfiguration on a basic /24 network.
Now I'm seeing every time a host connects to the network, there is a ARP entry for that hosts MAC address to ip 0.0.0.0. These constantly change between hosts.
This looks very suspect to me.
-
Those are known MAC addresses though? Looks like hosts connecting and broadcasting for DHCP servers to me. Which would be totally normal.
-
@stephenw10 really, do they create arp entries when broadcasting?
-
Not in the arp table but arpwatch does. There's an option to disable it if you don't want to see that:
Disables reporting 0.0.0.0 changes, helpful in busy DHCP networks.Steve
-
I'm still getting this and I honestly don't like it.
Why am I getting any other hosts on my WAN interface. This interface consists of just pfsense @ 192.168.1.1 and my upstream gateway @ 192.168.1.2. Why am I seeing external IPs here? Also IPv6 addresses.
This seems off to me. Also, it keeps appearing and disappearing.
Any ideas?
-
That's a v6 link-local address. I assume that is not your WAN MAC?
