Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall logs wan source ip 0.0.0.0 blocked

    Scheduled Pinned Locked Moved General pfSense Questions
    26 Posts 5 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      No idea. Probably some badly configured device somewhere or someone spoofing their IP. They are correctly blocked though.

      Steve

      1 Reply Last reply Reply Quote 0
      • emammadovE
        emammadov
        last edited by emammadov

        There is also another log entry in WAN Firewall Logs.

        Oct 21 16:37:54	WAN	192.168.3.80:49184	My Public IP:8080	TCP:RA
        Oct 21 16:37:54	WAN	192.168.3.80:49184	My Public IP:8080	TCP:FA
        Oct 21 16:37:54	WAN	192.168.3.80:49189	My Public IP:8080	TCP:RA
        Oct 21 16:37:54	WAN	192.168.3.80:49189	My Public IP:8080	TCP:FA
        

        I cliedk the red "X" button and it shows:

        The rule that triggered this action is:

        @61(12000) block drop in log quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"

        I dont't understand how private ip address can try to open pur port from outside our network.

        Both "Block private networks and loopback addresses" and "Block bogon networks" have been checked by default in WAN interface.

        Elvin

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Exactly. Private IP addresses should never be hitting the WAN interface if it has a public IP so there is a rule to drop that traffic.

          Potentially it could be from your modem or from some other device on your ISPs network. Though most ISPs should not do that these days.

          Steve

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            What is your pfsense WAN connected too? 192.168.x.x is rfc1918 - it will not route on the internet. So that is from the layer 2 network your pfsense wan is connected to either local or upstream via your isp. If your isp is routing that in side their network is another reason you could see such traffic. Or you router/modem/device your wan is plugged into go be using it?

            As to IP sourced as 0.0.0.0 you would see that in a dhcp discovery.. ICMP - do you have a vpn setup? that again is going to be from the same layer 2 your wan is connected to. Before APIPA devices use to assign that if they asked for dhcp and didn't get any, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • emammadovE
              emammadov
              last edited by

              I think I have found. We have PBX at our head office. We have also branch office. I have NAT port forwarding rules 5060 UDP for PBX so that branch office can use PBX. And there is an employee with 192.168.3.80 ip address in branch office. I wander how that employee with "private ip address" can try to approach the port of head office, though there is no such port open. If he tries to check our oirt, then it should show brack office public ip, but it shows private ip address.

              Elvin

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Seem more likely to be a coincidence. Unless you have a bad outbound NAT rule at the branch office maybe.
                Do you have anything running at port 8080 they would be trying to access?

                Steve

                1 Reply Last reply Reply Quote 0
                • emammadovE
                  emammadov
                  last edited by stephenw10

                  @johnpoz said in Firewall logs wan source ip 0.0.0.0 blocked:

                  do you have a vpn setup?

                  We have vpn running at our head office. I will ask both our ISP and branch office.

                  Elvin

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @stephenw10
                    last edited by

                    @stephenw10 said in Firewall logs wan source ip 0.0.0.0 blocked:

                    0.0.0.0 should never be seen as a source IP

                    It's a valid source address, but only for a device requesting a DHCP address and then only until it learns the address. DHCP lease renewals should use the assigned address.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Ok I'll give you that. 😉

                      But not for ICMP hitting your WAN. But valid or not it is correctly being blocked in this context.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        Its possible other end of vpn tunnel is doing that?

                        Devices use to just use 0.0.0.0 if no dhcp and set for dhcp.. Before APIPA came into play. And the whole 169.254 link local stuff

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Not sure how they would be hitting the WAN IP on the WAN interface if so. Unless there is some mis-connected layer 2 in there somewhere. Which might explain all that.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Yup!

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • JKnottJ
                              JKnott
                              last edited by

                              @johnpoz said in Firewall logs wan source ip 0.0.0.0 blocked:

                              Devices use to just use 0.0.0.0 if no dhcp and set for dhcp.. Before APIPA came into play. And the whole 169.254 link local stuff

                              DHCP works the same as before. The only difference is the link local address is generated if DHCP fails, at least on Windows. On Linux, with the network manager, I have a separate connection configured for link local, as DHCP will just fail. I have no idea about Macs.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Agreed when did I say any different? My point was before APIPA then the device would of used 0.0.0.0 if it didn't get an address from dhcp vs the client using a 169.254 address

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • badgastB
                                  badgast
                                  last edited by

                                  A time ago I had the same issue, never found out what was causing it, but after a while it went away, never to be seen again... Sorry for a useless answer ;-)

                                  1 Reply Last reply Reply Quote 0
                                  • emammadovE
                                    emammadov
                                    last edited by

                                    I usually have this issue, haven't found what causing it yet.

                                    Elvin

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      What is the mac address of this 0.0.0.0 icmp packet?

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • emammadovE
                                        emammadov
                                        last edited by

                                        How can I find mac address of 0.0.0.0?

                                        Elvin

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by johnpoz

                                          sniff/packet capture on your wan... Open the capture in wireshark.

                                          Or just run a tcpdump with -e should also show it.

                                          Looks like your seeing them every few seconds so you sniff should only need to be very short.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.