Tracking Link local traffic source?
-
I've been reviewing the syslogs from my firewall and am seeing a lot of blocked link-local chatter but I'm not entirely sure how to track it down to a host.
here are some examples.
Dec 6 11:52:50 filterlog:
MDNS Discovery?
7,,,1000000105,bge0.4,match,block,in,6,0x00,0x00000,255,UDP,17,78,fe80::1a74:2eff:fede:3019,ff02::fb,5353,5353,78DHCPV6 query?
Dec 6 11:56:56 filterlog: 7,,,1000000105,bge0.2,match,block,in,6,0x00,0x00000,255,UDP,17,56,fe80::2ecc:44ff:fe6d:3765,ff02::1:2,546,547,56Windows service discovery?
Dec 6 12:01:49 filterlog: 7,,,1000000105,bge0.1,match,block,in,6,0x00,0xbbbb1,1,UDP,17,664,fe80::747f:c8cb:b06c:8bc2,ff02::c,63604,3702,664 -
Since it's a link local address, it has to be on the local network. I assume you're referring to the WAN side. If so, it's some device in your area, as link local addresses don't pass through routers. I see some of those have a destination address of ff02, which indicates the destination is local. ff02::1 is the all hosts address, which is the equivalent of IPv4 broadcast. So, those are just normal network traffic being sent to all devices. I wouldn't worry about it, as pfSense appears to be doing it's job.
-
Are those on sub interfaces?
bge0.2, bge0.4 and bge0.1
So I would assume are on your local side and not wan side?
If you want to track down which device on your network is sending it just sniff an look at the mac address.. You could prob turn off some of those on the devices that is sending it to lower the amount of noise on your network.. If you just don't want it logged that is easy enough to do with some rules that do not log, etc.
-
Wouldn't you see the devices mac addresses in the NDP Table ?
-
That is very true... Would for sure check there first before having to setup a sniff ;)