Firewall blocking unknown/unused IP and port

Operations · Dec 20, 2020, 7:13 PM

I am using a couple of IP subnets but 172.16.16.0/24 is NOT one of them.

I am seeing a lot of (every minute) firewall blocks in the logfile:

LAN 172.16.16.16 (src) 255.255.255.255:62976 (des)

Like expected i am not able to ping or locate this IP.
I have a vlan20 with ip range 172.16.20.0/24, which is not the same and also not the LAN IP range. Further than that i have no clue what 172.16.16.16 is.

Any ideas what this is?

MikeV7896 · Dec 21, 2020, 1:48 AM

Maybe something on your network with a hard-set IP address? Check the ARP table for the MAC address for that IP address, maybe that will help identify it... check the first three parts of the MAC address against this to hopefully get a manufacturer: https://www.wireshark.org/tools/oui-lookup.html

johnpoz · Dec 21, 2020, 3:41 AM

Do you have some cameras

https://www.speedguide.net/port.php?port=62976
D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address

I would do a sniff and get the mac address of what is sending that traffic - that will help you track down what it is, especially if you have a smart switch so you can figure out what port its connected too or what AP if wireless.

Operations · Dec 21, 2020, 5:32 AM

@johnpoz said in Firewall blocking unknown/unused IP and port:

Do you have some cameras

https://www.speedguide.net/port.php?port=62976
D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address

I would do a sniff and get the mac address of what is sending that traffic - that will help you track down what it is, especially if you have a smart switch so you can figure out what port its connected too or what AP if wireless.

i do have cameras in a seperate vlan, but no Dlink and they all have static IPs.

i will go and look for the MAC address. but what does 255.255.255.255 as a destination mean?

johnpoz · Dec 21, 2020, 6:02 AM

@operations

255.255.255.255 is broadcast address.

As to your 172.16.16.16 that is quite possible a default IP some device is using when it can not get an IP for whatever reason, dhcp is not working for example.

Maybe you had a device reset and its trying for dhcp and you don't have that setup or its down, or connectivity issue - and so the device is defaulting to IP, and trying to find IP via some other method, ie that PORT.. Is it UDP traffic? Many camera's use the same software even if a different maker..

Just sniffing on pfsense, via the diagnostic menu on the interface your seeing the blocked traffic on would let you get the mac. As stated from the first 3 numbers of the mac you should be able to get the maker of nic/device which might help you track it down.

This is where a smart switch really comes in handy - so you can see which port the mac address is on.. If access point is plugged into that port, you will atleast know that device is connected to specific AP..

In your packet capture - set the details to full.. Then from there you can find your mac..

example

23:45:08.066739 b8:27:eb:31:70:ab > 00:08:a2:0c:e6:21, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 4368, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.3.32.123 > 173.225.56.211.191: [udp sum ok] NTPv4, length 48

that is my ntp server answering some ntp from internet somewhere (i run ntp server in ntp pool) so that 192.168.3.32 has a mac of b8:27:eb, if I look that up..

https://maclookup.app/macaddress/B827EB

I you will see its a rapberry pi..

Looking on my switch I can see that mac is connected to port 16

sg300-28#sho mac address-table address b8:27:eb:31:70:ab
Flags: I - Internal usage VLAN
Aging time is 300 sec

    Vlan          Mac Address         Port       Type    
------------ --------------------- ---------- ---------- 
     3         b8:27:eb:31:70:ab      gi16     dynamic   

sg300-28#

And then if you follow good house keeping and label your ports.. You would know exactly what is attached to that port without even having to trace the cable.

sg300-28#sho int desc
Port      Description
-------   -----------
gi1       Wan - Pfsense
gi2       Empty
gi3       pi-zero
gi4       sg4680 lan
gi5       sg4860 WLan and vlans
gi6       sg4860 DMZ
gi7       Uplink AV Cab
gi8       roku uplink pfs igb5
gi9       uap-ac-pro (hallway)
gi10      i5-win interface 1
gi11      uap-ac-lite (guestroom)
gi12      n40l bottom
gi13      Wan - Modem
gi14      n40l top
gi15      disabled
gi16      pi3-ntp
gi17      disabled
gi18      roku vlan
gi19      printer
gi20      wlan - test
gi21      disabled
gi22      disabled
gi23      disabled
gi24      nas interface 2
gi25      sg4860-igb4-transit
gi26      nas interface 1
gi27      casetahub
gi28      I5-win interface 2

I see that port 16 is my pi ntp box..

That is if you have a smart switch that allows such things..

Operations · Dec 21, 2020, 9:12 AM

@johnpoz said in Firewall blocking unknown/unused IP and port:

@operations

255.255.255.255 is broadcast address.

As to your 172.16.16.16 that is quite possible a default IP some device is using when it can not get an IP for whatever reason, dhcp is not working for example.

Maybe you had a device reset and its trying for dhcp and you don't have that setup or its down, or connectivity issue - and so the device is defaulting to IP, and trying to find IP via some other method, ie that PORT.. Is it UDP traffic? Many camera's use the same software even if a different maker..

Just sniffing on pfsense, via the diagnostic menu on the interface your seeing the blocked traffic on would let you get the mac. As stated from the first 3 numbers of the mac you should be able to get the maker of nic/device which might help you track it down.

This is where a smart switch really comes in handy - so you can see which port the mac address is on.. If access point is plugged into that port, you will atleast know that device is connected to specific AP..

In your packet capture - set the details to full.. Then from there you can find your mac..

example
23:45:08.066739 b8:27:eb:31:70:ab > 00:08:a2:0c:e6:21, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 4368, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.3.32.123 > 173.225.56.211.191: [udp sum ok] NTPv4, length 48
that is my ntp server answering some ntp from internet somewhere (i run ntp server in ntp pool) so that 192.168.3.32 has a mac of b8:27:eb, if I look that up..

https://maclookup.app/macaddress/B827EB

I you will see its a rapberry pi..

Looking on my switch I can see that mac is connected to port 16
sg300-28#sho mac address-table address b8:27:eb:31:70:ab
Flags: I - Internal usage VLAN
Aging time is 300 sec

    Vlan          Mac Address         Port       Type    
------------ --------------------- ---------- ---------- 
     3         b8:27:eb:31:70:ab      gi16     dynamic   

sg300-28#
And then if you follow good house keeping and label your ports.. You would know exactly what is attached to that port without even having to trace the cable.
sg300-28#sho int desc
Port      Description
-------   -----------
gi1       Wan - Pfsense
gi2       Empty
gi3       pi-zero
gi4       sg4680 lan
gi5       sg4860 WLan and vlans
gi6       sg4860 DMZ
gi7       Uplink AV Cab
gi8       roku uplink pfs igb5
gi9       uap-ac-pro (hallway)
gi10      i5-win interface 1
gi11      uap-ac-lite (guestroom)
gi12      n40l bottom
gi13      Wan - Modem
gi14      n40l top
gi15      disabled
gi16      pi3-ntp
gi17      disabled
gi18      roku vlan
gi19      printer
gi20      wlan - test
gi21      disabled
gi22      disabled
gi23      disabled
gi24      nas interface 2
gi25      sg4860-igb4-transit
gi26      nas interface 1
gi27      casetahub
gi28      I5-win interface 2
I see that port 16 is my pi ntp box..

That is if you have a smart switch that allows such things..

I did follow the house rules and use Unifi switches :)

Why would a device (even a legit one) be sending something to the broadcast address every minute?

yes it is UDP. and now i am also seeing traffic blocked from 0.0.0.0:68 to 255.255.255.255:67 (UDP). Which are de client and server ports for DHCP. But what is 0.0.0.0 and why to the broadcast address?

MikeV7896 · Dec 21, 2020, 10:41 AM

If the device is attempting to get an IP address from DHCP, it doesn't have one (0.0.0.0) and it's sending traffic to broadcast (255.255.255.255) to find the DHCP server. This is the Discovery phase of the DHCP process.

As far as why the broadcast traffic... if the device isn't able to get an address from DHCP, it is likely falling back to its own default address (172.16.16.16) and is sending broadcast packets to try and identify some kind of server or system that it would normally connect to or get an address from through a process other than DHCP (as mentioned by johnpoz). A security camera looking for its NVR is looking like a good possibility here.

Operations · Dec 21, 2020, 11:07 AM

@virgiliomi said in Firewall blocking unknown/unused IP and port:

If the device is attempting to get an IP address from DHCP, it doesn't have one (0.0.0.0) and it's sending traffic to broadcast (255.255.255.255) to find the DHCP server. This is the Discovery phase of the DHCP process.

As far as why the broadcast traffic... if the device isn't able to get an address from DHCP, it is likely falling back to its own default address (172.16.16.16) and is sending broadcast packets to try and identify some kind of server or system that it would normally connect to or get an address from through a process other than DHCP (as mentioned by johnpoz). A security camera looking for its NVR is looking like a good possibility here.

I have got 3 cameras and they all have a static IP address and are visible in my Blue Iris (camera software, so kinda like my NVR). And they are all working, plus i did not gave them a gateway address to deny any unwanted "phoning home". Will change this to FW block rule but it has been working fine for weeks.

So it is pretty much impossible for one of the 3 cameras to have the 172.16.16.16 address. Which is also a strange default address (i have never seen this IP address being used as a default. But that doesnt mean it is not possible of course).
Simply because they have a different address and are working fine.... right?

I will first try to find the device based on mac address later today.

johnpoz · Dec 21, 2020, 12:32 PM

@operations said in Firewall blocking unknown/unused IP and port:

0.0.0.0:68 to 255.255.255.255:67 (UDP).

Where is that blocked? As stated that is a dhcp discover.. Hey I want an IP!

Where are you blocking that at - pfsense if you enable dhcp auto creates rules to allow for dhcp.. So you can not turn them off - so you don't have dhcp enabled would be the only way that would show up as blocked on pfsense.

As to it being default.. There could be multiple devices using that as default.. Here one example

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/startup/nsg/sfos/concepts/Interfaces.html

login-to-view

Operations · Dec 21, 2020, 12:35 PM

@johnpoz said in Firewall blocking unknown/unused IP and port:

@operations said in Firewall blocking unknown/unused IP and port:

0.0.0.0:68 to 255.255.255.255:67 (UDP).

Where is that blocked? As stated that is a dhcp discover.. Hey I want an IP!

Where are you blocking that at - pfsense if you enable dhcp auto creates rules to allow for dhcp.. So you can not turn them off - so you don't have dhcp enabled would be the only way that would show up as blocked on pfsense.

Correct, PFSense is not running as a DHCP server. I am using DHCP relay withing PFSense so that the my DHCP server can act as DHCP server within the vLANs.
(I have a Windows server 2019 domain controller with a DHCP role)

"Where are you blocking that at" i am not sure how to answer this question. Could you explain / elaborate what you are asking?

johnpoz · Dec 21, 2020, 12:36 PM

where are you seeing it blocked. Pfsense firewall log? If you are running pfsense as relay it would also create the hidden rules.

You sure relay is enabled?

Operations · Dec 21, 2020, 12:40 PM

@johnpoz said in Firewall blocking unknown/unused IP and port:

where are you seeing it blocked. Pfsense firewall log? If you are running pfsense as relay it would also create the hidden rules.

You sure relay is enabled?

Yes PFSense firewall log (sorry i could have guessed that).

Yes i am 100% sure DHCP relay is turn on. Not on all the vLANs, but the only vLAN without DHCP relay has only got virtual machines with static IP address.

johnpoz · Dec 21, 2020, 12:42 PM

What interface are you seeing the block on. If relay is not enabled on that interface - then yes it would be blocked if your using relay.

Maybe you have that is on a different vlan than what you think it should be..

You need to track down the device via mac address.

Operations · Dec 21, 2020, 2:05 PM

@johnpoz said in Firewall blocking unknown/unused IP and port:

What interface are you seeing the block on. If relay is not enabled on that interface - then yes it would be blocked if your using relay.

Maybe you have that is on a different vlan than what you think it should be..

You need to track down the device via mac address.

LAN interface, which uses 192.168.100.0/24 (DC is 192.168.100.210 and .211) So no DHCP relay necessary.

johnpoz · Dec 21, 2020, 2:05 PM

Ok - but if you don't have relay or dhcp enabled on an interface. There will be no rules for allowing dhcp/relay of dhcp.

So yes if you are logging all default blocks - then you would see discover of dhcp blocked in the log, even if you have some other device on that same network answering dhcp.

It would just be log spam at this point.

You could setup a rule not to log that traffic if you wanted. But if your seeing some 172.16.16.16 address spamming your log via some broadcast on some odd 63xxx port I would track down to see what is spewing that out and figure out why.. Before you just not log it..

Have you found the mac address yet, it really should only take you 1 minute if your seeing the traffic as much as you say you are.