Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Getting firewall hits from a APIPA IP address on my lan - how to locate the culprit?

    Scheduled Pinned Locked Moved
    Firewalling
    4
    5
    195
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wasabi6962
      last edited by

      Hello,

      I've been seeing a lot of messages like these lately:

      network log.png

      It looks like a machine somewhere on my LAN didn't get assigned an IP address by DHCP and is constantly hitting my router's DNS.

      My question is: how can I get that machine's MAC ID? It would help narrow which type of device needs attention. I.e. knowing if it's a Raspberry Pi or a cable box or a Dell laptop would help me zero in on the device.

      Thanks!

      V johnpozJ 2 Replies Last reply Reply Quote 0
      • V
        viragomann @Wasabi6962
        last edited by

        @Wasabi6962
        Sniff the traffic on the LAN with full level output, filtering for the IP in question.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Wasabi6962
          last edited by

          @Wasabi6962 yeah sniff will show you its mac.

          Seems like really bad software to me... Lets say ok you hard coded the IP of your dns.. That is great, but why would the client even think it could talk to this dns server from a apipa address? And even if it did, what good would it do?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.03 | Lab VMs 2.7.2, 24.03

          1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance
            last edited by

            Get the mac address.
            Search the switch forwarding table to figure out the port the mac lives on. Profit

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 0
            • W
              Wasabi6962
              last edited by Wasabi6962

              Thanks for the tips... it looks like it was a combination of things on an old Windows 10 Dell laptop that I had left running unattended for a couple weeks. Somehow something had crashed so hard I had to force a power cycle. I think the crash was triggered by a Windows update - when I restarted it went through the usual "please wait while we finish updating your machine because we don't know how to actually install software properly" reboot cycle.

              The clue was that something was trying to contact Teamviewer and I remembered I had that installed on that machine from an old job. More recently I installed Tailscale as an overlay network, and apparently it defaults to an APIPA address when it's not connected.

              21:10:02.592148 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)
              21:10:03.596669 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)
              21:10:05.610651 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)

              Thanks again!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post