Firewall logs - is there a way to log the interface & MAC address ?
-
Firewall logs - is there a way to log the interface & MAC address ?
Is there a way to log the MAC address when a firewall rule blocks something or when the default firewall rule blocks something?
Example of why/how something like this could be used; lets say we have hundreds of IP address and more than two networks. And lets say we block all RFC 1918 (private IP address). Now in the logs, we get a log indicating that 192.168.56.56 was blocked when trying to talk to 172.16.22.22 however we are not supposed to have either IP address in or through our network. I see the log indicating something was blocked - however I have no idea of what MAC address is and thus can not find the actual device on my network it came from.
With a MAC address in the firewall logs, I can cross reverence the MAC address to the ARP table and then find the connected device where the problem came from.
North Idaho Tom Jones
-
If your saying you don't have these address space in your network.. how are you seeing this traffic.. If box 192.168.56.56 sent traffic to your pfsense as its gateway trying to get to 172.16.22.22 I would have to guess that pfsense had a IP setup in the 192.168.56.0/? network and this client was set to talk to that IP as its gateway.
Or are you you just seeing broadcast traffic for something that is misconfigured.
Can you post an example of this in your logs..
How I would track something like this down is sniff for this traffic that your seeing traffic to or from on the interface your seeing it from this will give you the mac.
I am not aware any reason a L3 router (pfsense) would/should log the layer 2 info of some traffic it blocked.
-
As far as I know PF doesn't even get the MAC address of an incoming packet, it gets stripped away because that information belongs to the "wrong layer".
-
pf doesn't look at layer 2 at all. Use arpwatch or something along those lines if you don't already have something that's logging MAC-IP associations.
-
If anybody has ever used a Cisco access-list - then you would know what I am talking about.
Let me try to explain it another way.
-#1 you have a NON-natting router (PfSense) - where you only have Live Internet IPS
-#1-A ) You have block all RFC-1918 traffic set
-#2 You have a LAN interface with let say 192.0.2.1/24
-#3 You have only two connected clients on the LAN ( one of them is 192.0.2.100 and the other is 192.0.2.200 )
-#3-A ) You know the ARP/MAC address of your two clients
-#4 you have a LAN log entry that indicated 192.168.0.22 is trying to talk to 172.16.10.10
-#4-A ) You know this blocked & logged packet came from one of your two clients
-#4-B ) You know from the log that a source packet of 192.168.0.22 came from one of the clients ( one of the ARPs/MAC-addresses )Without including the MAC address that sent the blocked/logged packet, you do not know which client routed this destination through their network to your network.
A Cisco router using access-lists will also log the MAC address of the directly connected device that passed the blocked/logged packet to you.
A PfSense router does not include MAC/ARP address in the logs the locally attached device on your network that routed the packet from them to you.So , how do you know which one of your two clients sent this packet to your router ?
Now that is only with two connected clients - imaging several hundred directly connected devices on your LAN. You know the MAC address & ARP & IP address of everything on you LAN. You have a hundreds or thousands of logs indicating blocked packets - however nothing in you log shows you the MAC/ARP of the device that tried to route an RFC-1918 packet through your PfSense router.
North Idaho Tom Jones
-
Without including the MAC address that sent the blocked/logged packet, you do not know which client routed this destination through their network to your network.
…
So , how do you know which one of your two clients sent this packet to your router ?
You can use the IP address that is logged. Trust on your network isn't assumed, it's enforced. Rogue devices should be locked down to guest VLANs.
-
Cisco ASAs don't log MAC addresses either. IOS can, but doesn't by default.
There is no way to get pf to log MACs. Use arpwatch or something like that to keep MAC<->IP associations, which you can correlate to your firewall logs' IPs.
-
@cmb:
Use arpwatch or something like that to keep MAC<->IP associations, which you can correlate to your firewall logs' IPs.
Didn't arpwatch used to be available as a package?
-
yes it did but was not included in 2.3
I do not show it in the pfsense repository of packages..
[2.3-RELEASE][root@pfSense.local.lan]/root: pkg search arp
arping-2.15_1 ARP level "ping" utility
choparp-20150613 Simple proxy arp daemon
pfSense-pkg-arping-1.2.2_1 pfSense package arping
[2.3-RELEASE][root@pfSense.local.lan]/root:But while it might not be a suggested or even good idea.. You can still install packages from the freebsd repository.
http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/arpwatch-2.1.a15_9.txz
There is link to arpwatch. If there is dependencies you could run into some problems. You could request that it get added to the pfsense repository. Or since the reason it wasn't moved over is there is no maintainer from the removed list..
https://doc.pfsense.org/index.php/2.3_Removed_Packages
arpwatch - no package maintainer, not convertedYou could always pick up the mantle and be the package maintainer ;)
-
Without the ability for PfSense to log the MAC address of the device the blocked packet came from on your LAN - it becomes almost impossible to locate many problem devices connected to your network.
Example:
My LAN has a LIVE IP address. I am blocking all RFC-1918 traffic.
Here is an example of my logs; May 9 11:56:09 LAN Block ULA networks from LAN block fc00::/7 (12000) 192.168.56.120:49424 98.138.47.184:443 TCP:FASo, how can I locate the device on my LAN that sent me the source packet from 192.168.56.120 ?
Cisco IOS access-lists with the log-input option will include the MAC address of the device on your LAN that sent you the routed packet - thus making it very easy to quickly locate the offending device.
Below is an example of a Cisco access-list log:
May 9 09:58:42.293: %SEC-6-IPACCESSLOGP: list 136 denied udp 169.254.60.130(137) (Vlan61 2047.47da.3717) -> 169.254.255.255(137), 4 packets
With this information, I know the connected device was my network had a MAC address of : 2047.47da.3717- In summary - I would almost say that a PfSense router could be under a DOS attack from somebody directly connected to your LAN network and you have no way to find out who it is because there is no MAC address in the log.
North Idaho Tom Jones
-
dude as already stated pfsense is a L3 router/firewall - why should it log them? your switch as a layer 2 device.. yeah ok it can log them..
If you need to know the mac of a device sending you traffic, it takes all of 2 seconds to sniff it. if you want something logging it for you then install arpwatch..
I just installed it.. big bang zoom its keeping a database and logging them..
if you want it back as package - either become the maintainer or post up a bounty for someone else to do it..
-
Re: dude as already stated pfsense is a L3 router/firewall
I have known the difference between a L3 and a L2 device since the early 1990s. I've configured and managed several thousands of them.
I am strictly talking about L3.
I do not know the arpwatch package - but by guessing at the name, I would assume it maintains a table of local IP address to local MAC address on a locally connected network (aka ARP).
There is no possible method to look or discover the ARP table - or MAC address of a device you do not manage which is connected several layer 3 levels in-front-of or behind your layer 3 router.What I am trying to say is; if a layer 3 device is connected several layer 3 hops away from the layer 3 router you manage and you block an RFC-1918 packet or block a specific IP address - and you do not have specific routes both to-and-from all layer 3 devices passing through the layer 3 router you manage, then all you know is the remote layer 3 source-IP-address (and ports&tcpudp) and the remote-layer-3-destination-IP-address (and ports&tcpudp). You never know the MAC or ARP address of the remote device not directly on your network.
PfSense does not log the local MAC address of the device directly connected on your network the packet came from.
However - A Cisco layer 3 router (with access-lists with log-input) will additionally log the MAC address of the directly connected layer 3 device on your network the problem packet came from (which may several layer 3 hops away).
So - as to my original question - am I missing something - or is there a way to log the MAC address of the locally connected layer 3 device on your network which is passing you packets from devices several hops away from the layer 3 router you manage (without installing a network sniffer or a span monitor) ?
North Idaho Tom Jones
-
as to sniffing there is NOTHING to install its right there, diagnostics packet capture. Or from cmd line tcpdump
Or just install arpwatch if you want a database of macs and IPs… Even when the IP is not on your local network IP range.. But sure you might only get the mac of the downstream router that sent you the packet.
"You never know the MAC or ARP address of the remote device not directly on your network."
No shit really??? You earn the captain obvious badge of the day ;) heheeheh
Here I turned on arpwatch on my wan interface by mistake yesterday for a few minutes... You can see all the foreign to my network on that interface that arpwatch reports on, it lists them as bogon because they are not in the network space of the interface its listening on.
You will notice that mac it gives matches up to my isp cable modem which is what I see my gateway mac as.. 2nd attachment is the arp table from pfsense.
edit: pretty slick, I installed ssmtp on pfsense and now I am getting emails from arpwatch.. Has the hostname, has the mac and even gives me the vendor, etc. See 3rd attached
