Many blocked IP from the same person?
-
Hi,
I was wondering if its normal to get so many blocked IP from a private IP in 3 days?
while my Internal IP is 192.168.3.0/24See picture
Thank you
-
10.141.5.1, isn't that in IPV4 private address space? Is that hitting your LAN or your WAN interface? If it's hitting WAN from the outside, then someone upstream of you is spewing out traffic with that as an address. If it's hitting your LAN, then someone inside is spewing that and your LAN rules are blocking it.
-
depends on where it's coming from, what it is, and why it's being blocked. Maybe normal, maybe not.
-
Hi does this photo help? And spewing out traffic?
Thank you
-
Hi does this photo help?
Not really, no.
-
Just curios, what program are you using to get those graphs?
Thanks,
-
lol…well thats awkward forgot to add the photo,
and @johns
Im using ELK I will be posting a guide this afternoon
-
Whats your internet provider setup?
Those are DHCP ports https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
So you could be behind another firewall issuing DHCP to you or your ISP maybe having problems. Very weird if its wan side like your pic suggests. -
thanks for the reply firewalluser, well my DHCP is handle by my windows server and on pfSense i have DHCP off. Here is my setup see pic
Thank you
-
Yeah but its your WAN interface on pfsense thats blocking those packets so its something upstream.
It might be how you have configured your static ip or how your isp have their system working. Having worked for big companies listed on the stock markets in the past, never under estimate a cock up on their part, most people would be surprised at how they spin things, even the big IT names get hacked often but dont disclose all the time even perhaps because they dont know or care.
-
hmmm.. well atleast its blocking ;D so do you recommend to call my lSP?
edit: i was reading up on this https://forum.pfsense.org/index.php?topic=40852.15
seems like something of the lSP I try to call to see what they say or ill just unlog that IP because its flooding my ELK server :-[Thank you
-
so do you recommend to call my lSP?
I wouldn't bother. Your firewall is doing its job.
-
I'd check your end first, make sure your wan connection is configured properly as per their instructions as different ISP have different ways of allocating a fixed ip to you and then give them a call to ask. Theres no harm done in asking in fact you might even be able to glean some info from their support team like whether they are competent or not or maybe alert them to the fact they have a problem which could be an indicator your ISP has been hacked. Its more common than you think.
Edit. I'd monitor it and see if it changes in any way. Whilst JohnPoz says below its noise from the ISP, I guess some ISP are better than others as I dont see that from the ISP's I've dealt with here in the UK who allocate fixed ip's.
-
its noise from your isp.. And the default rule of block private on wan is logging it.. Its just dhcp noise.. yeah you can see that from other users of your isp, etc. if was me I would just turn off logging of it - its going to fill up your logs..
Want to see more noise look at all the arps your seeing as well ;)
But your saying your seeing 50K packets? in what span of time? That box really wants to renew its ip.. Do you have public on your wan? or do you have a private IP?
-
lolz the past 4 days crazy picture. But you know whats funny my lSP modem somehow has 2 static IP one is the 181.xxx.xx.xx and I have another network which is 201.xx.xx.xx. not sure how i got this well..originally my 201.xxx.xx.xx I bought static but when I started to put windows server and pfSense I wanted to separate to do tests so i would not mess up my main network, so then i connected to port 2 on the lSP modem to the pfSense and got another IP. ;D
-
port 2 on the modem? Not a modem then its a gateway. So do you have these publics on your pfsense WAN or is pfsense private natted behind your "modem"
-
I think you are right its a gateway. The gateway that i have is a technicolor heres a pic of the setup
-
still didn't really answer my question.. Does pfsense actually have a public on its interface, same with your netgear dd-wrt or are they on a natted network from your isp gateway??
go to pfsense interfaces..
-
Yep it does, Also by the way i have been trying to block that IP but without the logs i tried
Disable the checkbox "block RFC1918" on the WAN-config page.
Create an alias containing 10.0.0.0/8, 172.16.0.0/12 and 192.198.0.0/16.
Create on your WAN a new block-rule with as source any and as destination the previously created alias.But no luck :(
-
Disable the checkbox "block RFC1918" on the WAN-config page.
Create an alias containing 10.0.0.0/8, 172.16.0.0/12 and 192.198.0.0/16.
Create on your WAN a new block-rule with as source any and as destination the previously created alias.That's because the traffic into your WAN is sourced from the address in question and destined for your WAN address. You have pass source any dest RFC1918 so it's not going to match.
What you want is to leave the block RFC1918 traffic enabled on WAN.
If you don't want to see it logged, either put another block rule for the specific source IP address on WAN without logging (put it at the top) or turn off the logging for those block rules in Status > System Logs > Settings
