Weird continuous icmp connection on pfSense
-
I've noticed a very strange and long-lasting icmp connection on my pfsense box (192.168.1.1)
pfTop: Up State 1-100/2218 (2459), View: default, Order: bytes PR DIR SRC DEST STATE AGE EXP PKTS BYTES icmp In 192.168.1.20:3075 192.168.1.1:3075 0:0 75:45:51 00:00:09 545104 45788736
Apparently a server in my network has established this connection for 75 days, which is weird since the uptime of the server is only 3 days.
I also don't recognize the port 3075 it is using.
Of course, I can just drop this state from the states table, but I'm curious as to what it is exactly.
-
@W5Ofwur1xtOmtk9ZBO
????
ICMP doesn't have connections. Each message stands alone. Also, it doesn't use ports, it uses message types.
-
@JKnott ok thank you. Then what does this state in pfTop mean?
-
@W5Ofwur1xtOmtk9ZBO
I don't know, I don't use pfTop.
-
pftop is just using the icmp ID as the port.. This is how it matches up return traffic to specific icmp IDs.. when you send a request, the reply will use the same ID..
-
I have deleted the state, but it just comes back (on the same port).
Then I restarted the other server and the state is gone. However, there is a new ICMP one but on a different port. This time it's 1228 instead of 3075
So you're saying that's normal?
-
What is that device at 192.168.1.20?
If you check the WAN you will see a similar old ICMP state that us pfSense pinging something to monitor the connection. I imagine that server is doing something similar.
Steve
-
@W5Ofwur1xtOmtk9ZBO said in Weird continuous icmp connection on pfSense:
. This time it's 1228 instead of 3075
Yeah because it changed the ID of the icmp request.. They are suppose to be random..
-
@johnpoz said in Weird continuous icmp connection on pfSense:
They are suppose to be random..
Unless it's Windows....fun the first time you see a ping fail from Windows because another Windows device has already opened that state.
-
Well even if random that "could" happen.. If you have enough devices on the network doing pings.. It would be random chance that they ping with the same ID to cause a problem at the firewall.
But that could be a bit a pain to track down ;) Failed ping - whats in the state table would prob be the very last place I would look ;)
-
Oh I've felt that pain!