Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking constant hits from WAN port 67 to LAN 255.255.255.255 port 68

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 3 Posters 11.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      genius
      last edited by

      Hi folks,

      Just converted from Smoothwall yesterday and I must say, after using smoothie for 5 years, I really like pfsense.  But I got an odd hit on my firewall and it's fast and furious.  It's a UDP hit nearly every few seconds from an IP address 96.177.57.1.  I know that UDP hits on port 67 are usually from DHCP servers but I only have one DHCP server on my LAN side, my pfsense DHCP server is disabled and the only other DHCP server is my cable modem on the WAN side.

      If it resolved to my Comcast modem, I'd let it thru but from what I can find, the IP doesn't resolve at all.

      What can I do?  Can I run an IPtable command and just drop the packet so I am not keeping my firewall so busy?

      1 Reply Last reply Reply Quote 0
      • C Offline
        clarknova
        last edited by

        Your subject doesn't make sense, since any packet to 255.255.255.255 is by definition a non-routed packet. pfsense may be receiving these packets on the WAN or the LAN interface, but it's not routing them. If it's logging them on the WAN then it is dropping them already, and there's not much you can do about it.

        It's probably your ISP's dhcp server responding to dhcp requests from other people on the network, which can be sent from 255.255.255.255. This is normal and you can safely ignore it.

        db

        1 Reply Last reply Reply Quote 0
        • Cry HavokC Offline
          Cry Havok
          last edited by

          Please search the forum. This is a DHCP request, you can expect to see those and the other threads contain plenty of detail.

          1 Reply Last reply Reply Quote 0
          • G Offline
            genius
            last edited by

            @Cry:

            Please search the forum. This is a DHCP request, you can expect to see those and the other threads contain plenty of detail.

            I love how people say STF as if that solves all our problems…

            Yea, I searched the forum and knew they were DHCP requests.  I wasn't asking if these were harmful.  The issue I had was I didn't recognize/trust the IP address that was sending the requests.  Had the DHCP requests came from my cable modem 192.168.100.1, my DHCP server 192.168.1.10 or even a comcast IP address I never would have posted it.  I just didn't want my log cluttered with thousands of these:

            Apr 1 20:31:03 WAN 96.177.57.1:67 255.255.255.255:68 UDP
            Apr 1 20:31:05 WAN 96.177.57.1:67 255.255.255.255:68 UDP
            Apr 1 20:31:07 WAN 96.177.57.1:67 255.255.255.255:68 UDP
            Apr 1 20:31:08 WAN 96.177.57.1:67 255.255.255.255:68 UDP
            Apr 1 20:31:09 WAN 96.177.57.1:67 255.255.255.255:68 UDP
            Apr 1 20:31:13 WAN 96.177.57.1:67 255.255.255.255:68 UDP
            Apr 1 20:31:23 WAN 96.177.57.1:67 255.255.255.255:68 UDP
            Apr 1 20:31:23 WAN 96.177.57.1:67 255.255.255.255:68 UDP

            I just went ahead and opened the port, you're right, these are harmless.

            1 Reply Last reply Reply Quote 0
            • G Offline
              genius
              last edited by

              Oh yea–call this solved...

              1 Reply Last reply Reply Quote 0
              • C Offline
                clarknova
                last edited by

                
                ~# whois 96.177.57.1
                #
                # Query terms are ambiguous.  The query is assumed to be:
                #     "n 96.177.57.1"
                #
                # Use "?" to get help.
                #
                
                #
                # The following results may also be obtained via:
                # http://whois.arin.net/rest/nets;q=96.177.57.1?showDetails=true&showARIN=false
                #
                
                Comcast IP Services, L.L.C. DC-CDM-9 (NET-96-177-0-0-1) 96.177.0.0 - 96.177.255.255
                Comcast IP Services, L.L.C. CABLE-1 (NET-96-128-0-0-1) 96.128.0.0 - 96.191.255.255
                
                

                That address belongs to Comcast, whose network you are on, so pretty normal. Your modem is most likely is bridge mode, which is why that IP address does not match that of the modem.

                db

                1 Reply Last reply Reply Quote 0
                • G Offline
                  genius
                  last edited by

                  Hey thanks for that!!!!! I used reverse DNS and it came up blank:S  I didn't think to just run a whois–thanks again!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.