Many blocked IP from the same person?
-
so do you recommend to call my lSP?
I wouldn't bother. Your firewall is doing its job.
-
I'd check your end first, make sure your wan connection is configured properly as per their instructions as different ISP have different ways of allocating a fixed ip to you and then give them a call to ask. Theres no harm done in asking in fact you might even be able to glean some info from their support team like whether they are competent or not or maybe alert them to the fact they have a problem which could be an indicator your ISP has been hacked. Its more common than you think.
Edit. I'd monitor it and see if it changes in any way. Whilst JohnPoz says below its noise from the ISP, I guess some ISP are better than others as I dont see that from the ISP's I've dealt with here in the UK who allocate fixed ip's.
-
its noise from your isp.. And the default rule of block private on wan is logging it.. Its just dhcp noise.. yeah you can see that from other users of your isp, etc. if was me I would just turn off logging of it - its going to fill up your logs..
Want to see more noise look at all the arps your seeing as well ;)
But your saying your seeing 50K packets? in what span of time? That box really wants to renew its ip.. Do you have public on your wan? or do you have a private IP?
-
lolz the past 4 days crazy picture. But you know whats funny my lSP modem somehow has 2 static IP one is the 181.xxx.xx.xx and I have another network which is 201.xx.xx.xx. not sure how i got this well..originally my 201.xxx.xx.xx I bought static but when I started to put windows server and pfSense I wanted to separate to do tests so i would not mess up my main network, so then i connected to port 2 on the lSP modem to the pfSense and got another IP. ;D
-
port 2 on the modem? Not a modem then its a gateway. So do you have these publics on your pfsense WAN or is pfsense private natted behind your "modem"
-
I think you are right its a gateway. The gateway that i have is a technicolor heres a pic of the setup
-
still didn't really answer my question.. Does pfsense actually have a public on its interface, same with your netgear dd-wrt or are they on a natted network from your isp gateway??
go to pfsense interfaces..
-
Yep it does, Also by the way i have been trying to block that IP but without the logs i tried
Disable the checkbox "block RFC1918" on the WAN-config page.
Create an alias containing 10.0.0.0/8, 172.16.0.0/12 and 192.198.0.0/16.
Create on your WAN a new block-rule with as source any and as destination the previously created alias.But no luck :(
-
Disable the checkbox "block RFC1918" on the WAN-config page.
Create an alias containing 10.0.0.0/8, 172.16.0.0/12 and 192.198.0.0/16.
Create on your WAN a new block-rule with as source any and as destination the previously created alias.That's because the traffic into your WAN is sourced from the address in question and destined for your WAN address. You have pass source any dest RFC1918 so it's not going to match.
What you want is to leave the block RFC1918 traffic enabled on WAN.
If you don't want to see it logged, either put another block rule for the specific source IP address on WAN without logging (put it at the top) or turn off the logging for those block rules in Status > System Logs > Settings
-
thanks silly me ;D
-
So who says its not your gateway sending out that traffic? What makes no sense is that 50K packets would come from the SAME ip.. Seems like a bug in the dhcp client.. That would not be a discover packet but a renew packet since its sourced from IP and not 0.0.0.0
I would take it coming from your gateway device. What is the mac of the packet.. Does it match up to what your gateway device is? Is your ddwrt device seeing these packets?
-
well i ran wireshark on both network. But nothing from that IP but I think your right the gateway is trying to renew its IP from the 181.xx.xxx because originally its not static maybe that could be the cause?
Also had to uncheck on settings logs the option of Log packets blocked by 'Block Private Networks' rules for it not to log that 10.141.5.1
Thank you
-
those are different source macs… Where did you sniff that at? pfsense wan? Are you seeing 50K of those packets again?
00:24:b2 is netgear.. hat is prob its lan with that 192.168.1.1
that other mac is
Hon Hai Precision Ind.Co.Ltd
Address
Taipei Hsien 236
TAIWAN, PROVINCE OF CHINA
Range
D0:27:88:00:00:00 - D0:27:88:FF:FF:FF
Type
IEEE MA-LWhich have no idea what that is..
-
yeah my bad i forgot to sniff the gateway from my lSP now i see the DHCP renewing but not the 50k packets. Im pretty sure my lSP is trying to renew my WAN of the 181.xx.xx.xx :(
Also whats curious is that my gateway is on bridge mode which in theory It should not give me DHCP when connecting though wifi to my lSP gateway?
Or am i Completely wrong?
-
Your isp doesn't renew anything A client when about 50 of its lease or when told to via dhcp options will attempt to renew.. This comes from the dhcp client.
Why are you showing what looks like public IP but then also 10.141.51.1 address? So is it getting renewed or is it sending every few seconds still?
-
so the public IP is the 201.xx.xx.xx im not sure why it shows 10.141.5.1 now heres the weird part So I can also connect though WIFI to the gateway and and shows something totally different. see Picture. Also the 10.141.5.1 I have it turned off the logging im sure its still blocking.
is this even possible to have this IP? Im just confused how I have internet when the gateway is on bridge mode and I am able to connect directly though WIFI.
-
that is a public IP with a very large mask /18 man that is big mask.. Yeah if ts bridge mode you would get IP from isp over wireless.. Normally you only get 1 IP.. It seems odd that you have 2 different IP blocks there you were seeing.
-
its very weird :o but on the bright side I got 2 static public IP ;D
Thanks again Johnpoz for all the help :)
-
You might find one is actually static for server hosting purposes like web & email, remote access/vpn etc, the other if in a different range is variable so you can surf the web with an element of privacy, at least thats what UK ISP's do anyway, but as I also discovered when ISP's hand out an IP block when ordering a single static ip, the ISP have in fact given all the ip's in the block. Whether your ISP have done this if its so large, only you can find out by setting up pfsense to accept incoming on the other ip's in that block, or they may have some other setup upstream to restrict you to one ip.
Have a poke a round if interested in finding out.
