Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block private networks - something from cable-modem is blocked, but what is it?

    Firewalling
    5
    35
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      Why would pfsense have any reason to talk to your modem on port 80?? No it wouldn't do that that.. A client behind sure..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @johnpoz
        last edited by Bob.Dig

        @johnpoz So I will do more logging on all LANs to find out where this comes from. I made a "matching" floating Rule on all those interfaces, hope it will work.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          But still what doesn't make any sense is not seeing syn in your sniff.. If it went through pfsense, or even from pfsense you would see the syn..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @johnpoz
            last edited by Bob.Dig

            @johnpoz Was the second packet sniff in my life, I don't know stuff.
            What if this was a biproduct of my "box" being in bridgemode. I guess pfSense has to talk to that device somehow for dhcp and IPv6 other stuff anyway, not carrying what blocking rules I create... or not, again, I don't know stuff.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              @Bob-Dig said in Block private networks - something from cable-modem is blocked, but what is it?:

              a4:ca:58

              Dude that is the mac of your modem from log on your modem, the last 3 numbers... But in your sniff shows a4:ca:46.. Did you change modems? Do you have a different modem?

              Since you don't see the syn, its possible that traffic is just noise from your ISP network. Some other users modem???

              Is your modem a Arris brand even?

              edit: None of that stuff would be to port 80 (http).. That sniff was syn,ack from 80 to source port - it is answer to a syn.. But looks like you didn't see the syn coming from or through your pfsense.. So it could be just some weird noise.. And the mac on the modem in your sniff doesn't even match what your saying your modem is showing in its logs. So why the syn,ack would be sent to your IP is very strange.. Someone with the same IP as you on the ISP network maybe.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              Bob.DigB 1 Reply Last reply Reply Quote 1
              • Bob.DigB
                Bob.Dig LAYER 8 @johnpoz
                last edited by Bob.Dig

                @johnpoz Dude, no I didn't change the modem. It is from a company called compal, as far as I know. It is branded by the ISP.

                Capture.PNG

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  Then I don't think that has anything to do with your pfsense or your modem at all - and just random noise on your shitty isp network ;) The mac is not the mac of your modem from your modems log or your status page.. It might be 1 off liek 5f and 5e sort of thing on the ethernet interface.. And its not even the correct brand - the mac of the showing in your sniff form 100.1 is a Arris brand modem..

                  yeah its just NOISE on your isp network - and has nothing to do with your modem or your pfsense... Other than some device tried to send a syn,ack back to your IP.. That would explain why you not seeing the syn.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  Bob.DigB 1 Reply Last reply Reply Quote 1
                  • Bob.DigB
                    Bob.Dig LAYER 8 @johnpoz
                    last edited by

                    @johnpoz I think aris is used on the other side, whatever this is called.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Like I was saying before blocking rfc1918 produces noise in your logs ;) hehehe.. Even if you had those ports forwarded on pfsense - such traffic would not match any states so a syn,ack wouldn't go anywhere..

                      That is another place you could look - look in your state table do you see any states to 192.168.100.1?

                      If the syn would of come through your pfsense, or from something behind pfsense - you would of seen that in the sniff.. Modems don't just randomly send syn,acks from 80 to random ports ;) Somewhere in your ISP network some device with that mac and IP 192.168.100.1 which is a arris branded mac.. Saw a syn from something saying its IP was yours.. Somehow that got sent to your pfsense wan.. through your isp network.

                      Guess it could be some sort of attack or worm or something? Just randomly seeing if it could match up with some state table somewhere?? Not an attack of have ever heard of..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      Bob.DigB 1 Reply Last reply Reply Quote 1
                      • Bob.DigB
                        Bob.Dig LAYER 8 @johnpoz
                        last edited by

                        @johnpoz said in [Block private networks - something from

                        That is another place you could look - look in your state table do you see any states to 192.168.100.1?

                        I looked and it isn't in there.
                        But also this happened randomly and hours between in the first place, so I guess your explanation is the right one. Good night, mate. 😉

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          It is odd for sure ;) thanks for bringing it up - always fun to look at odd shit ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.