Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Many blocked IP from the same person?

    Scheduled Pinned Locked Moved General pfSense Questions
    30 Posts 8 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      killmasta93
      last edited by

      Hi,
      I was wondering if its normal to get so many blocked IP from a private IP in 3 days?
      while my Internal IP is 192.168.3.0/24

      See picture

      Thank you
      Clipboarder.2015.08.27-002.png
      Clipboarder.2015.08.27-002.png_thumb

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      1 Reply Last reply Reply Quote 0
      • M Offline
        mer
        last edited by

        10.141.5.1, isn't that in IPV4 private address space? Is that hitting your LAN or your WAN interface?  If it's hitting WAN from the outside, then someone upstream of you is spewing out traffic with that as an address.  If it's hitting your LAN, then someone inside is spewing that and your LAN rules are blocking it.

        1 Reply Last reply Reply Quote 0
        • C Offline
          cmb
          last edited by

          depends on where it's coming from, what it is, and why it's being blocked. Maybe normal, maybe not.

          1 Reply Last reply Reply Quote 0
          • K Offline
            killmasta93
            last edited by

            Hi does this photo help? And spewing out traffic?

            Thank you

            Tutorials:

            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              Hi does this photo help?

              Not really, no.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • J Offline
                johns
                last edited by

                Just curios, what program are you using to get those graphs?

                Thanks,

                1 Reply Last reply Reply Quote 0
                • K Offline
                  killmasta93
                  last edited by

                  lol…well thats awkward forgot to add the photo,
                  and @johns
                  Im using ELK I will be posting a guide this afternoon

                  Clipboarder.2015.08.28.png
                  Clipboarder.2015.08.28.png_thumb

                  Tutorials:

                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    firewalluser
                    last edited by

                    Whats your internet provider setup?

                    Those are DHCP ports https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
                    So you could be behind another firewall issuing DHCP to you or your ISP maybe having problems. Very weird if its wan side like your pic suggests.

                    Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                    Asch Conformity, mainly the blind leading the blind.

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      killmasta93
                      last edited by

                      thanks for the reply firewalluser, well my DHCP is handle by my windows server and on pfSense i have DHCP off. Here is my setup see pic

                      Thank you

                      Drawing2.jpg
                      Drawing2.jpg_thumb

                      Tutorials:

                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                      1 Reply Last reply Reply Quote 0
                      • F Offline
                        firewalluser
                        last edited by

                        Yeah but its your WAN interface on pfsense thats blocking those packets so its something upstream.

                        It might be how you have configured your static ip or how your isp have their system working. Having worked for big companies listed on the stock markets in the past, never under estimate a cock up on their part, most people would be surprised at how they spin things, even the big IT names get hacked often but dont disclose all the time even perhaps because they dont know or care.

                        Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                        Asch Conformity, mainly the blind leading the blind.

                        1 Reply Last reply Reply Quote 0
                        • K Offline
                          killmasta93
                          last edited by

                          hmmm.. well atleast its blocking  ;D so do you recommend to call my lSP?

                          edit: i was reading up on this https://forum.pfsense.org/index.php?topic=40852.15
                          seems like something of the lSP I try to call to see what they say or ill just unlog that IP because its flooding my ELK server  :-[

                          Thank you

                          Tutorials:

                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                          1 Reply Last reply Reply Quote 0
                          • KOMK Offline
                            KOM
                            last edited by

                            so do you recommend to call my lSP?

                            I wouldn't bother.  Your firewall is doing its job.

                            1 Reply Last reply Reply Quote 0
                            • F Offline
                              firewalluser
                              last edited by

                              I'd check your end first, make sure your wan connection is configured properly as per their instructions as different ISP have different ways of allocating a fixed ip to you and then give them a call to ask. Theres no harm done in asking in fact you might even be able to glean some info from their support team like whether they are competent or not or maybe alert them to the fact they have a problem which could be an indicator your ISP has been hacked. Its more common than you think.

                              Edit. I'd monitor it and see if it changes in any way. Whilst JohnPoz says below its noise from the ISP, I guess some ISP are better than others as I dont see that from the ISP's I've dealt with here in the UK who allocate fixed ip's.

                              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                              Asch Conformity, mainly the blind leading the blind.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                its noise from your isp.. And the default rule of block private on wan is logging it..  Its just dhcp noise.. yeah you can see that from other users of your isp, etc.  if was me I would just turn off logging of it - its going to fill up your logs..

                                Want to see more noise look at all the arps your seeing as well ;)

                                But your saying your seeing 50K packets?  in what span of time?  That box really wants to renew its ip.. Do you have public on your wan?  or do you have a private IP?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • K Offline
                                  killmasta93
                                  last edited by

                                  lolz the past 4 days crazy picture. But you know whats funny my lSP modem somehow has 2 static IP one is the 181.xxx.xx.xx and I have another network which is 201.xx.xx.xx. not sure how i got this well..originally my 201.xxx.xx.xx I bought static but when I started to put windows server and pfSense I wanted to separate to do tests so i would not mess up my main network, so then i connected to port 2 on the lSP modem to the pfSense and got another IP.  ;D

                                  Clipboarder.2015.08.28-003.png
                                  Clipboarder.2015.08.28-003.png_thumb

                                  Tutorials:

                                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    port 2 on the modem?  Not a modem then its a gateway.  So do you have these publics on your pfsense WAN or is pfsense private natted behind your "modem"

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • K Offline
                                      killmasta93
                                      last edited by

                                      I think you are right its a gateway. The gateway that i have is a technicolor heres a pic of the setup

                                      Drawing2.jpg
                                      Drawing2.jpg_thumb

                                      Tutorials:

                                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ Offline
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        still didn't really answer my question.. Does pfsense actually have a public on its interface, same with your netgear dd-wrt or are they on a natted network from your isp gateway??

                                        go to pfsense interfaces..

                                        waninterface.png
                                        waninterface.png_thumb

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • K Offline
                                          killmasta93
                                          last edited by

                                          Yep it does, Also by the way i have been trying to block that IP but without the logs i tried
                                          Disable the checkbox "block RFC1918" on the WAN-config page.
                                          Create an alias containing 10.0.0.0/8, 172.16.0.0/12 and 192.198.0.0/16.
                                          Create on your WAN a new block-rule with as source any and as destination the previously created alias.

                                          But no luck  :(

                                          Clipboarder.2015.08.28-010.png
                                          Clipboarder.2015.08.28-010.png_thumb
                                          Clipboarder.2015.08.28-009.png
                                          Clipboarder.2015.08.28-009.png_thumb
                                          Clipboarder.2015.08.28-008.png
                                          Clipboarder.2015.08.28-008.png_thumb
                                          Clipboarder.2015.08.28-006.png
                                          Clipboarder.2015.08.28-006.png_thumb

                                          Tutorials:

                                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                          1 Reply Last reply Reply Quote 0
                                          • DerelictD Offline
                                            Derelict LAYER 8 Netgate
                                            last edited by

                                            Disable the checkbox "block RFC1918" on the WAN-config page.
                                            Create an alias containing 10.0.0.0/8, 172.16.0.0/12 and 192.198.0.0/16.
                                            Create on your WAN a new block-rule with as source any and as destination the previously created alias.

                                            That's because the traffic into your WAN is sourced from the address in question and destined for your WAN address.  You have pass source any dest RFC1918 so it's not going to match.

                                            What you want is to leave the block RFC1918 traffic enabled on WAN.

                                            If you don't want to see it logged, either put another block rule for the specific source IP address on WAN without logging (put it at the top) or turn off the logging for those block rules in Status > System Logs > Settings

                                            Chattanooga, Tennessee, USA
                                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.