Every second a new firewall LAN message
-
ICMP Hole punching is what you're seeing…
http://en.wikipedia.org/wiki/ICMP_hole_punchingThe traffic may or may not be nefarious in nature. I'd start checking devices to make sure they're not participating in a botnet.
-
this is a device
a4:93:4c:fd:ce:41
Yes I show a4:93:4c as cisco.. so you need it track down that device sending the pings to this 1.2.3.4 so you can figure out why its sending them
where exactly did you do the sniff? Is there another router between the sender and pfsense?
-
this is a device
a4:93:4c:fd:ce:41
Yes I show a4:93:4c as cisco.. so you need it track down that device sending the pings to this 1.2.3.4 so you can figure out why its sending them
where exactly did you do the sniff? Is there another router between the sender and pfsense?
It's the VMWare device that's sending the ICMP Packets out. You may have a compromised VM.
-
where do you see vm sending anything?
09:57:55.704554 a4:93:4c:fd:ce:41 > 00:50:56:88:78:f9
that is sending to a vm, but the sending mac is cisco
-
I must have read the packet trace wrong. Oops.
-
Dok - the OP stated their network is
"no our Lan is 192.1.1.0/24"
so I don't believe they are trying to actually use 100.64 space.. Or configured anything with an IP of 1.2.3.4
Seems odd seeing multiple source IPs from the same mac, so I would guess a router or AP downstream of where pfsense is seeing the traffic.
OP you need to track down what specific device that a4:93:4c:fd:ce:41 is, is traffic coming from something behind it? What is this device exactly?
-
Does pfSense have anything in its ARP cache for any of those CGN IPs?
Have you tried loading a box with nmap, putting it's interface IP in the CGN range and doing a scan? -
ok thanks for the help I have identified the cause. Gradually, the patch cord was removed and re- inserted until the duration inquiries have disappeared on the Main Switch. The result was that this is a Cisco device is our provider which is responsible for a private MPLS VPN tunnel. I now have the Provider sent the logs and note there to clarify that this is stopped.
Is it worth the private network in an RFC compliant convert? So we all Devices by
192.1.1.x / 24
in
192.168.1.x / 24
bring ?Does it then 192.1.2.x create sense due to broadcast and Performance for the server space? And if so, how and where this route I then in the PFSense. Is there a FAQ about?
I know VLANs are there also but the first are not a solution .
Many thanks for your help! :)
-
192.1 is not rfc19181 address space..
Why would they have been pinging 1.2.3.4?
-
192.1 is not rfc19181 address space..
Why would they have been pinging 1.2.3.4?
A lot of programmers wrote code that would attempt to ping the 1.0.0.0 /8 because the "knew it was not in use". Not any more. I forget the reasoning behind this. I think some of it is they wanted to use a public IP range internally and they figured it was safe, but now all /8s are in use. I remember reading a lot of these stories shortly after the 1.x block got handed out and some of the IPs like 1.1.1.1 were suddenly getting flooded with traffic from around thew world because of idiot programmers doing this sort of crap.
-
Does pfSense have anything in its ARP cache for any of those CGN IPs?
It wouldn't, they're sourced from the Cisco layer 3 switch's MAC address, so it's routing it from somewhere behind it. Checking the Cisco is the next place to track it down.
