Many blocked IP from the same person?

killmasta93

thanks silly me  ;D

johnpoz

So who says its not your gateway sending out that traffic?  What makes no sense is that 50K packets would come from the SAME ip.. Seems like a bug in the dhcp client.. That would not be a discover packet but a renew packet since its sourced from IP and not 0.0.0.0

I would take it coming from your gateway device. What is the mac of the packet..  Does it match up to what your gateway device is?  Is your ddwrt device seeing these packets?

killmasta93

well i ran wireshark on both network. But nothing from that IP but I think your right the gateway is trying to renew its IP from the 181.xx.xxx because originally its not static maybe that could be the cause?

Also had to uncheck on settings logs the option of Log packets blocked by 'Block Private Networks' rules for it not to log that 10.141.5.1

Thank you

johnpoz

those are different source macs… Where did you sniff that at?  pfsense wan?  Are you seeing 50K of those packets again?

00:24:b2 is netgear.. hat is prob its lan with that 192.168.1.1

that other mac is

Hon Hai Precision Ind.Co.Ltd
Address
    Taipei Hsien 236
    TAIWAN, PROVINCE OF CHINA
Range
    D0:27:88:00:00:00 - D0:27:88:FF:FF:FF
Type
    IEEE MA-L

Which have no idea what that is..

killmasta93

yeah my bad i forgot to sniff the gateway from my lSP now i see the DHCP renewing but not the 50k packets. Im pretty sure my lSP is trying to renew my WAN of the 181.xx.xx.xx  :(

Also whats curious is that my gateway is on bridge mode which in theory It should not give me DHCP when connecting though wifi to my lSP gateway?
Or am i Completely  wrong?

johnpoz

Your isp doesn't renew anything  A client when about 50 of its lease or when told to via dhcp options will attempt to renew.. This comes from the dhcp client.

Why are you showing what looks like public IP but then also 10.141.51.1 address?  So is it getting renewed or is it sending every few seconds still?

killmasta93

so the public IP is the 201.xx.xx.xx im not sure why it shows 10.141.5.1 now heres the weird part So I can also connect though WIFI to the gateway and and shows something totally different. see Picture. Also the 10.141.5.1 I have it turned off the logging im sure its still blocking.
is this even possible to have this IP? Im just confused how I have internet when the gateway is on bridge mode and I am able to connect directly though WIFI.

johnpoz

that is a public IP with a very large mask /18 man that is big mask.. Yeah if ts bridge mode you would get IP from isp over wireless..  Normally you only get 1 IP.. It seems odd that you have 2 different IP blocks there you were seeing.

killmasta93

its very weird  :o but on the bright side I got 2 static public IP  ;D

Thanks again Johnpoz for all the help  :)

firewalluser

You might find one is actually static for server hosting purposes like web & email, remote access/vpn etc, the other if in a different range is variable so you can surf the web with an element of privacy, at least thats what UK ISP's do anyway, but as I also discovered when ISP's hand out an IP block when ordering a single static ip, the ISP have in fact given all the ip's in the block. Whether your ISP have done this if its so large, only you can find out by setting up pfsense to accept incoming on the other ip's in that block, or they may have some other setup upstream to restrict you to one ip.

Have a poke a round if interested in finding out.