How do I find this device?
-
Hi all,
My Firewall Log is full of these blocked IPv6 messages:
How can I find the device on the LAN that is causing them?
TIA
Greg
-
Do you have Ubiquity equipment? If so, it appears to be the device discovery service from your Ubiquity equipment, which can be disabled. If not, it could be the link-local address on your cable modem.
You can also check the NDP table (Diagnostics -> NDP Table) to get the MAC address of the device, which should aid in tracking it down if you have a limited amount of devices. Also, once you have the MAC... if you have a managed switch, there should be some tools available that you can leverage to identify exactly which switch port the offending MAC address is connected to.
-
@marvosa said in How do I find this device?:
You can also check the NDP table (Diagnostics -> NDP Table) to get the MAC address of the device
Just look at those addresses. They're link local addresses, based on the MAC address. Just look for MAC addresses that look similar. Everything after fffe in the address is the same as the same bits in the MAC address.
-
@marvosa said in How do I find this device?:
Do you have Ubiquity equipment? If so, it appears to be the device discovery service from your Ubiquity equipment, which can be disabled. If not, it could be the link-local address on your cable modem.
Yes, I have one Ubiquity AP on the network and it does appear to be the device discovery service. Do not think it can be disabled as the AP is the only Ubiquity product and I use a Unifi Controller on my W10 PC whenever I want to make changes to the AP.
Thanks for your and @JKnott input as it was most helpful.
-
@gregeeh if you do not want this traffic filling up your logs, create a rule near the top on your LAN interface that has any as the source, UDP as the protocol, ff02::1 as the destination address and 10001 as the destination port. Set the rule to drop but not log.
Right now that traffic is hitting the firewall's default deny rule and that rule is logging the dropped packet. By inserting your own rule up higher in the chain, the packet is "handled" by your rules and thus never gets to the default deny rule (which is at the bottom of the rule chain).
-
@jknott said in How do I find this device?:
Everything after fffe in the address is the same as the same bits in the MAC address.
Not always true.. But from that looks like
https://aruljohn.com/mac/788A20
78:8A:20 Ubiquiti Networks Inc.You can depending on the OS and or device have it not use mac in creating the link local
for example my windows machine
Link-local IPv6 Address . . . . . : fe80::3020:bb96:34a5:921dNotice the missing fffe
-
@johnpoz said in How do I find this device?:
Notice the missing fffe
Every address in the list contained fffe, so they're MAC based. I am aware the link local address can be locally set. For example, pfSense uses fe80::1:1.
-
that is NOT locally set... My point is you should be more detailed with your info since they people clearly don't know - or they wouldn't be here asking in the first place.
And you told them to look at the last part of the mac vs the full thing showing them what maker of the device was, etc.
-
@johnpoz said in How do I find this device?:
My point is you should be more detailed with your info since they people clearly don't know - or they wouldn't be here asking in the first place.
Here is my post:
"Just look at those addresses. They're link local addresses, based on the MAC address. Just look for MAC addresses that look similar. Everything after fffe in the address is the same as the same bits in the MAC address."Given that every address listed included fffe, my comment was entirely accurate in that context. He was trying to find the source and I gave him a clue. I was not attempting to give a full tutorial on link local addresses.
-
@bmeeks said in How do I find this device?:
@gregeeh if you do not want this traffic filling up your logs, create a rule near the top on your LAN interface that has any as the source, UDP as the protocol, ff02::1 as the destination address and 10001 as the destination port. Set the rule to drop but not log.
Right now that traffic is hitting the firewall's default deny rule and that rule is logging the dropped packet. By inserting your own rule up higher in the chain, the packet is "handled" by your rules and thus never gets to the default deny rule (which is at the bottom of the rule chain).
Most helpful. Thank you.