Weird Bogon activity on Realtek NIC
-
After a disconnection from my VPN I logged into the pfSense box to check what's going on and saw these in the logs:
@johnpoz Remember you've said "under what scenario would you have bogon addresses inside you network?" Well....apparently this Realtek NIC is acting weird LOL.
BTW, this Realtek interface has a static IPv4 and DHCP defined and working well.
-
Yes, but these are DHCP requests. 0.0.0.0 is actually a non yet assigned ip in this case.
-
@netblues What do you mean exactly? Why this is even happening and why only with the Realtek NIC?
-
No ideas why, but protocol udp 68 is dhcp. And I presume you consider 0.0.0.0 as bogon.
Well, if coming from a wan interface, yes its bogus.
But on a lan its just mac addresses asking for ip's. (so technically not bogon)
Seems something is requesting dhcp. -
@netblues The automatic bogon rule is defined by pfSense, so they consider it as such, not me.
There's no such MAC address like 0.0.0.0. but I guess that when the single PC that is currently using the Realtel NIC is coming up from a sleep or a shut down, then this happens. Weird... -
Well. as I said, 0.0.0.0 is defined as bogus if you see packets from it.
However, during dhcp requests, 0.0.0.0 is used. See dhcp negotiation for more details. -
@netblues Where do I see such negotiations?
-
On the log posted, you have requests from 0.0.0.0 addressed to udp port 67. This looks like a dhcp request.
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol -
@netblues Ok...So that's how a machine asks to lease an IP. So should I remove that bogon rule or would setting a static IP to that machine fix it?
-
Probably both will do, virtualisation (if any ) could also be playing games with you.
-
@netblues How does it work eventually with the PC receiving IP regardless if this rule? Maybe something else causing that
-
Where is the dhcp server? On pf? somewhere else?
-
@netblues Everything is on pfSense
-
Bogon should never be set on a lan interface!! rfc1918 is official part of bogon.. Even though pfsense pulls it out.
"Bogons are defined as Martians (private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority."
You using on a lan side interface is going to cause you grief!!
There is zero point using bogon on a lan side interface..
-
Then the above description by pfSense is misleading...
@johnpoz said in Weird Bogon activity on Realtek NIC:
There is zero point using bogon on a lan side interface
But any how...I get your point
-
See my edit.. Pfsense pulls it out of bogon, because they use their own other rfc1918 block table..
Here is the thing if your setting bogon on your lan your doing it WRONG!!! There is zero reason to set that, and clearly you have no clue to what it actually is or you wouldn't be setting it..
-
@johnpoz Well...the only scenario I could think of is a virus or malicious software sitting on the lan and using bogon addresses LOL....Ok, I removed that rule. It should only be set on the WAN