Block private networks - something from cable-modem is blocked, but what is it?
-
Why would pfsense have any reason to talk to your modem on port 80?? No it wouldn't do that that.. A client behind sure..
-
@johnpoz So I will do more logging on all LANs to find out where this comes from. I made a "matching" floating Rule on all those interfaces, hope it will work.
-
But still what doesn't make any sense is not seeing syn in your sniff.. If it went through pfsense, or even from pfsense you would see the syn..
-
@johnpoz Was the second packet sniff in my life, I don't know stuff.
What if this was a biproduct of my "box" being in bridgemode. I guess pfSense has to talk to that device somehow for dhcp and IPv6 other stuff anyway, not carrying what blocking rules I create... or not, again, I don't know stuff. -
@Bob-Dig said in Block private networks - something from cable-modem is blocked, but what is it?:
a4:ca:58
Dude that is the mac of your modem from log on your modem, the last 3 numbers... But in your sniff shows a4:ca:46.. Did you change modems? Do you have a different modem?
Since you don't see the syn, its possible that traffic is just noise from your ISP network. Some other users modem???
Is your modem a Arris brand even?
edit: None of that stuff would be to port 80 (http).. That sniff was syn,ack from 80 to source port - it is answer to a syn.. But looks like you didn't see the syn coming from or through your pfsense.. So it could be just some weird noise.. And the mac on the modem in your sniff doesn't even match what your saying your modem is showing in its logs. So why the syn,ack would be sent to your IP is very strange.. Someone with the same IP as you on the ISP network maybe.
-
@johnpoz Dude, no I didn't change the modem. It is from a company called compal, as far as I know. It is branded by the ISP.
-
Then I don't think that has anything to do with your pfsense or your modem at all - and just random noise on your shitty isp network ;) The mac is not the mac of your modem from your modems log or your status page.. It might be 1 off liek 5f and 5e sort of thing on the ethernet interface.. And its not even the correct brand - the mac of the showing in your sniff form 100.1 is a Arris brand modem..
yeah its just NOISE on your isp network - and has nothing to do with your modem or your pfsense... Other than some device tried to send a syn,ack back to your IP.. That would explain why you not seeing the syn.
-
@johnpoz I think aris is used on the other side, whatever this is called.
-
Like I was saying before blocking rfc1918 produces noise in your logs ;) hehehe.. Even if you had those ports forwarded on pfsense - such traffic would not match any states so a syn,ack wouldn't go anywhere..
That is another place you could look - look in your state table do you see any states to 192.168.100.1?
If the syn would of come through your pfsense, or from something behind pfsense - you would of seen that in the sniff.. Modems don't just randomly send syn,acks from 80 to random ports ;) Somewhere in your ISP network some device with that mac and IP 192.168.100.1 which is a arris branded mac.. Saw a syn from something saying its IP was yours.. Somehow that got sent to your pfsense wan.. through your isp network.
Guess it could be some sort of attack or worm or something? Just randomly seeing if it could match up with some state table somewhere?? Not an attack of have ever heard of..
-
@johnpoz said in [Block private networks - something from
That is another place you could look - look in your state table do you see any states to 192.168.100.1?
I looked and it isn't in there.
But also this happened randomly and hours between in the first place, so I guess your explanation is the right one. Good night, mate.
-
It is odd for sure ;) thanks for bringing it up - always fun to look at odd shit ;)