new pfSense install - immediate and numerous DoD (department of defense) "queries"? 255.255.255.255:68

ptt

Not necessarily "is from DoD"

maybe your "ISP" is (mistakenly) using that network segment in "his" network

johnpoz

You would be surprised how often that happens to be honest... Company says oh we never need to go to xyz network.. We will just use it internally.

Also could just be some idiot user of the isp on the same layer 2 as you causing it.. Clearly its not a valid IP unless your ISP is the dod ;)

Do a packet capture on your wan, and load it into wireshark and you can see some more details and what the MAC address is of who is sending it.. Can tell from that what brand of device.

xanadu

This post is deleted!

xanadu

ok ive captured some packets and opened them in wireshark
anything i should be looking for ?

xanadu

In the packet capture i notice Mac addresses with Arris and Cadant. Arris aquiried Cadant in like 2001 and they make cable modems and cable set top boxes.

ptt

http://www.dslreports.com/forum/r25679029-Why-is-my-first-hop-to-a-DoD-assigned-IP-address

http://www.dslreports.com/forum/r31748514-Connectivity-Why-is-comcast-xfinity-hosting-VoIP-servers-on-DOD-network

johnpoz

You have a cable modem I would take it... Yes arris and Cadant same and cable modem maker.

xanadu

@johnpoz I dont have an Arris or a Cadant but yes I have a cable modem.

So take off my tinfoil hat then ?

My ISP basically said GTFO and won't even look into the DoD requests.

johnpoz

And what is your cable modem brand.. The nic is made arris/cadant ;)

Your tinfoil hat should never had been on - there is a shit ton of noise on the net.. Figuring out what it is the interesting fun stuff..

Derelict

You cannot control what arrives on your WAN. That's why we run firewalls. All you can do is pass what you want and block the rest.

If you want to know why DHCP traffic from that address is out there you'll have to talk to your ISP.

pfSense is deny all traffic by default. If you put default deny rules in manually, expect to have to do things like manually pass IPsec too.

xanadu

Ok I feel better. Thanks for putting my head on straight.

A question though. With all wan traffic blocked... why do services like teamviewer still work ?

johnpoz

because teamview creates a tunnel to their servers..

kpa

https://en.wikipedia.org/wiki/UDP_hole_punching

johnpoz

@kpa

That is not the only way.. That will not work in the case of a proxy for example. I my home box all the time from work using it, and behind a proxy.. So it tunnels over tcp in that case.

It uses multiple methods none of which require the user to configure inbound port forwarding.