I am seeing external IPs as source on my LAN interface
-
I am seeing a lot of entries on my LAN interface being blocked by default deny with an external address as the source.
My LAN interface is using 10.23.10.0/24. I installed Arpwatch yesterday and I am not seeing any of these addresses in my ARP table.
I just recently did a new install of 2.4.5p1 based on old config.xml on a VM.
-
Is your WAN 172.23.6.91? That's an RFC 1918 address, which means you're behind NAT. Also, you would never see any addresses in your ARP table, unless it's on a link that's directly connected to your WAN port. So, you'd see your ISP's router, but nothing beyond that.
-
That is all out of state traffic... Your going to have to give us more detail of how you have everything connected if you want help figuring out what you have borked up..
In a normal setup no it would not be possible for what your seeing to happen..
-
@JKnott said in I am seeing external IPs as source on my LAN interface:
Is your WAN 172.23.6.91? That's an RFC 1918 address, which means you're behind NAT. Also, you would never see any addresses in your ARP table, unless it's on a link that's directly connected to your WAN port. So, you'd see your ISP's router, but nothing beyond that.
No, that isn't my WAN address. Mine is a Spectrum public ipv4.
This was all on my LAN interface. I had seen this yesterday and so I installed arpwatch to monitor the inside networks but not the WAN. It hasn't shown anything unexpected in its database.
What I have done currently is just reboot the hyper-v host, pfsense VM, etc. and watch it.
If I see it again, I will probably reinstall the pfsense VM, because it had issues installing the packages for some reason.
-
@johnpoz said in I am seeing external IPs as source on my LAN interface:
That is all out of state traffic... Your going to have to give us more detail of how you have everything connected if you want help figuring out what you have borked up..
In a normal setup no it would not be possible for what your seeing to happen..
I have a unique talent for borking things up.
-
This is not a pfsense problem.
Day before yesterday, I let Windows 10 update to the Feature Update 2004. I had hyper-v installed on it and it "Enhanced" it by adding a new virtual network adapter, hence the 172.23.6.91 address.
I removed the hyper-v role on the windows 10 and will monitor.
-
@IsaacFL said in I am seeing external IPs as source on my LAN interface:
No, that isn't my WAN address. Mine is a Spectrum public ipv4.
Then what are those 172 addresses? Are we looking at your WAN or LAN interface? Either way, it doesn't seem to match what you're saying.
Maybe if you draw a sketch or something, we might have a clue about what you're talking about.
-
@JKnott said in I am seeing external IPs as source on my LAN interface:
@IsaacFL said in I am seeing external IPs as source on my LAN interface:
No, that isn't my WAN address. Mine is a Spectrum public ipv4.
Then what are those 172 addresses? Are we looking at your WAN or LAN interface? Either way, it doesn't seem to match what you're saying.
Maybe if you draw a sketch or something, we might have a clue about what you're talking about.
So my Windows machine shows that it has 2 interfaces, and Ethernet which is the actual used interface and an additional virtual vEthernet interface which I can't get rid of. The 172 addresses are on the Win10 vEthernet Interface.
On sign on, it seems to set up 172.random.1/20 on the vEthernet. Currently many reboots after above, it is 172.29.112.1/20
Sketch of my network.
It is basically a Hyper-V host with pfSense as a VM. 4 port NIC is dedicated to the pfSense, with 3 of the interfaces going to a switch. 4th interface goes directly to the cable modem.
This only shows the ipv4 as I don't think the ipv6 is involved.
The IPs of the pfSense are LAN 10.23.10.1/24, IOT 10.23.30.1/24, VIRT (internal to Hyper-V host) 10.23.64.1/24
The WAN interface is from Spectrum in the 72.132.XX.YY/19 subnet.Since earlier, I did a clean install on the pfSense VM using the recover config from file. It still has the same type of traffic as I posted above.
I tried deleting the virtual interface but on reboot it comes back. I think it is a vestige of having Hyper-V installed at one time.
The virtual interface on the Win10 does show traffic going out the interface in the 10Mb/s range for a burst when I log on the task manager.
I did power off the Win10 machine for 15 minutes, then restarted. I noticed nothing in the logs until I signed in after boot up. So pretty confident it is the win10 machine. Also the only other devices on the LAN are the Hyper-V host itself, and the mgmt. interfaces of the netgear switchcand the cisco wap.