Firewall blocking unknown/unused IP and port
-
Maybe something on your network with a hard-set IP address? Check the ARP table for the MAC address for that IP address, maybe that will help identify it... check the first three parts of the MAC address against this to hopefully get a manufacturer: https://www.wireshark.org/tools/oui-lookup.html
-
Do you have some cameras
https://www.speedguide.net/port.php?port=62976
D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP addressI would do a sniff and get the mac address of what is sending that traffic - that will help you track down what it is, especially if you have a smart switch so you can figure out what port its connected too or what AP if wireless.
-
@johnpoz said in Firewall blocking unknown/unused IP and port:
Do you have some cameras
https://www.speedguide.net/port.php?port=62976
D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP addressI would do a sniff and get the mac address of what is sending that traffic - that will help you track down what it is, especially if you have a smart switch so you can figure out what port its connected too or what AP if wireless.
i do have cameras in a seperate vlan, but no Dlink and they all have static IPs.
i will go and look for the MAC address. but what does 255.255.255.255 as a destination mean?
-
255.255.255.255 is broadcast address.
As to your 172.16.16.16 that is quite possible a default IP some device is using when it can not get an IP for whatever reason, dhcp is not working for example.
Maybe you had a device reset and its trying for dhcp and you don't have that setup or its down, or connectivity issue - and so the device is defaulting to IP, and trying to find IP via some other method, ie that PORT.. Is it UDP traffic? Many camera's use the same software even if a different maker..
Just sniffing on pfsense, via the diagnostic menu on the interface your seeing the blocked traffic on would let you get the mac. As stated from the first 3 numbers of the mac you should be able to get the maker of nic/device which might help you track it down.
This is where a smart switch really comes in handy - so you can see which port the mac address is on.. If access point is plugged into that port, you will atleast know that device is connected to specific AP..
In your packet capture - set the details to full.. Then from there you can find your mac..
example
23:45:08.066739 b8:27:eb:31:70:ab > 00:08:a2:0c:e6:21, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 4368, offset 0, flags [DF], proto UDP (17), length 76) 192.168.3.32.123 > 173.225.56.211.191: [udp sum ok] NTPv4, length 48that is my ntp server answering some ntp from internet somewhere (i run ntp server in ntp pool) so that 192.168.3.32 has a mac of b8:27:eb, if I look that up..
https://maclookup.app/macaddress/B827EB
I you will see its a rapberry pi..
Looking on my switch I can see that mac is connected to port 16
sg300-28#sho mac address-table address b8:27:eb:31:70:ab Flags: I - Internal usage VLAN Aging time is 300 sec Vlan Mac Address Port Type ------------ --------------------- ---------- ---------- 3 b8:27:eb:31:70:ab gi16 dynamic sg300-28#And then if you follow good house keeping and label your ports.. You would know exactly what is attached to that port without even having to trace the cable.
sg300-28#sho int desc Port Description ------- ----------- gi1 Wan - Pfsense gi2 Empty gi3 pi-zero gi4 sg4680 lan gi5 sg4860 WLan and vlans gi6 sg4860 DMZ gi7 Uplink AV Cab gi8 roku uplink pfs igb5 gi9 uap-ac-pro (hallway) gi10 i5-win interface 1 gi11 uap-ac-lite (guestroom) gi12 n40l bottom gi13 Wan - Modem gi14 n40l top gi15 disabled gi16 pi3-ntp gi17 disabled gi18 roku vlan gi19 printer gi20 wlan - test gi21 disabled gi22 disabled gi23 disabled gi24 nas interface 2 gi25 sg4860-igb4-transit gi26 nas interface 1 gi27 casetahub gi28 I5-win interface 2I see that port 16 is my pi ntp box..
That is if you have a smart switch that allows such things..
-
@johnpoz said in Firewall blocking unknown/unused IP and port:
255.255.255.255 is broadcast address.
As to your 172.16.16.16 that is quite possible a default IP some device is using when it can not get an IP for whatever reason, dhcp is not working for example.
Maybe you had a device reset and its trying for dhcp and you don't have that setup or its down, or connectivity issue - and so the device is defaulting to IP, and trying to find IP via some other method, ie that PORT.. Is it UDP traffic? Many camera's use the same software even if a different maker..
Just sniffing on pfsense, via the diagnostic menu on the interface your seeing the blocked traffic on would let you get the mac. As stated from the first 3 numbers of the mac you should be able to get the maker of nic/device which might help you track it down.
This is where a smart switch really comes in handy - so you can see which port the mac address is on.. If access point is plugged into that port, you will atleast know that device is connected to specific AP..
In your packet capture - set the details to full.. Then from there you can find your mac..
example
23:45:08.066739 b8:27:eb:31:70:ab > 00:08:a2:0c:e6:21, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 4368, offset 0, flags [DF], proto UDP (17), length 76) 192.168.3.32.123 > 173.225.56.211.191: [udp sum ok] NTPv4, length 48that is my ntp server answering some ntp from internet somewhere (i run ntp server in ntp pool) so that 192.168.3.32 has a mac of b8:27:eb, if I look that up..
https://maclookup.app/macaddress/B827EB
I you will see its a rapberry pi..
Looking on my switch I can see that mac is connected to port 16
sg300-28#sho mac address-table address b8:27:eb:31:70:ab Flags: I - Internal usage VLAN Aging time is 300 sec Vlan Mac Address Port Type ------------ --------------------- ---------- ---------- 3 b8:27:eb:31:70:ab gi16 dynamic sg300-28#And then if you follow good house keeping and label your ports.. You would know exactly what is attached to that port without even having to trace the cable.
sg300-28#sho int desc Port Description ------- ----------- gi1 Wan - Pfsense gi2 Empty gi3 pi-zero gi4 sg4680 lan gi5 sg4860 WLan and vlans gi6 sg4860 DMZ gi7 Uplink AV Cab gi8 roku uplink pfs igb5 gi9 uap-ac-pro (hallway) gi10 i5-win interface 1 gi11 uap-ac-lite (guestroom) gi12 n40l bottom gi13 Wan - Modem gi14 n40l top gi15 disabled gi16 pi3-ntp gi17 disabled gi18 roku vlan gi19 printer gi20 wlan - test gi21 disabled gi22 disabled gi23 disabled gi24 nas interface 2 gi25 sg4860-igb4-transit gi26 nas interface 1 gi27 casetahub gi28 I5-win interface 2I see that port 16 is my pi ntp box..
That is if you have a smart switch that allows such things..
I did follow the house rules and use Unifi switches :)
Why would a device (even a legit one) be sending something to the broadcast address every minute?
yes it is UDP. and now i am also seeing traffic blocked from 0.0.0.0:68 to 255.255.255.255:67 (UDP). Which are de client and server ports for DHCP. But what is 0.0.0.0 and why to the broadcast address?
-
If the device is attempting to get an IP address from DHCP, it doesn't have one (0.0.0.0) and it's sending traffic to broadcast (255.255.255.255) to find the DHCP server. This is the Discovery phase of the DHCP process.
As far as why the broadcast traffic... if the device isn't able to get an address from DHCP, it is likely falling back to its own default address (172.16.16.16) and is sending broadcast packets to try and identify some kind of server or system that it would normally connect to or get an address from through a process other than DHCP (as mentioned by johnpoz). A security camera looking for its NVR is looking like a good possibility here.
-
@virgiliomi said in Firewall blocking unknown/unused IP and port:
If the device is attempting to get an IP address from DHCP, it doesn't have one (0.0.0.0) and it's sending traffic to broadcast (255.255.255.255) to find the DHCP server. This is the Discovery phase of the DHCP process.
As far as why the broadcast traffic... if the device isn't able to get an address from DHCP, it is likely falling back to its own default address (172.16.16.16) and is sending broadcast packets to try and identify some kind of server or system that it would normally connect to or get an address from through a process other than DHCP (as mentioned by johnpoz). A security camera looking for its NVR is looking like a good possibility here.
I have got 3 cameras and they all have a static IP address and are visible in my Blue Iris (camera software, so kinda like my NVR). And they are all working, plus i did not gave them a gateway address to deny any unwanted "phoning home". Will change this to FW block rule but it has been working fine for weeks.
So it is pretty much impossible for one of the 3 cameras to have the 172.16.16.16 address. Which is also a strange default address (i have never seen this IP address being used as a default. But that doesnt mean it is not possible of course).
Simply because they have a different address and are working fine.... right?I will first try to find the device based on mac address later today.
-
@operations said in Firewall blocking unknown/unused IP and port:
0.0.0.0:68 to 255.255.255.255:67 (UDP).
Where is that blocked? As stated that is a dhcp discover.. Hey I want an IP!
Where are you blocking that at - pfsense if you enable dhcp auto creates rules to allow for dhcp.. So you can not turn them off - so you don't have dhcp enabled would be the only way that would show up as blocked on pfsense.
As to it being default.. There could be multiple devices using that as default.. Here one example
https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/startup/nsg/sfos/concepts/Interfaces.html
-
@johnpoz said in Firewall blocking unknown/unused IP and port:
@operations said in Firewall blocking unknown/unused IP and port:
0.0.0.0:68 to 255.255.255.255:67 (UDP).
Where is that blocked? As stated that is a dhcp discover.. Hey I want an IP!
Where are you blocking that at - pfsense if you enable dhcp auto creates rules to allow for dhcp.. So you can not turn them off - so you don't have dhcp enabled would be the only way that would show up as blocked on pfsense.
Correct, PFSense is not running as a DHCP server. I am using DHCP relay withing PFSense so that the my DHCP server can act as DHCP server within the vLANs.
(I have a Windows server 2019 domain controller with a DHCP role)"Where are you blocking that at" i am not sure how to answer this question. Could you explain / elaborate what you are asking?
-
where are you seeing it blocked. Pfsense firewall log? If you are running pfsense as relay it would also create the hidden rules.
You sure relay is enabled?
-
@johnpoz said in Firewall blocking unknown/unused IP and port:
where are you seeing it blocked. Pfsense firewall log? If you are running pfsense as relay it would also create the hidden rules.
You sure relay is enabled?
Yes PFSense firewall log (sorry i could have guessed that).
Yes i am 100% sure DHCP relay is turn on. Not on all the vLANs, but the only vLAN without DHCP relay has only got virtual machines with static IP address.
-
What interface are you seeing the block on. If relay is not enabled on that interface - then yes it would be blocked if your using relay.
Maybe you have that is on a different vlan than what you think it should be..
You need to track down the device via mac address.
-
@johnpoz said in Firewall blocking unknown/unused IP and port:
What interface are you seeing the block on. If relay is not enabled on that interface - then yes it would be blocked if your using relay.
Maybe you have that is on a different vlan than what you think it should be..
You need to track down the device via mac address.
LAN interface, which uses 192.168.100.0/24 (DC is 192.168.100.210 and .211) So no DHCP relay necessary.
-
Ok - but if you don't have relay or dhcp enabled on an interface. There will be no rules for allowing dhcp/relay of dhcp.
So yes if you are logging all default blocks - then you would see discover of dhcp blocked in the log, even if you have some other device on that same network answering dhcp.
It would just be log spam at this point.
You could setup a rule not to log that traffic if you wanted. But if your seeing some 172.16.16.16 address spamming your log via some broadcast on some odd 63xxx port I would track down to see what is spewing that out and figure out why.. Before you just not log it..
Have you found the mac address yet, it really should only take you 1 minute if your seeing the traffic as much as you say you are.
