• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with Firewall Log

Scheduled Pinned Locked Moved Firewalling
43 Posts 6 Posters 12.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Q
    Qinn
    last edited by Aug 6, 2016, 9:33 AM Aug 6, 2016, 9:01 AM

    Hi see the following in the logging about every many times, what is it?

    Act Time         IF Source Destination
    X Aug 6 11:00 em0 0.0.0.0 255.255.255.255:4944
    X Aug 6 10:59 em0 0.0.0.0 255.255.255.255:4944
    X Aug 6 10:59 em0 0.0.0.0 255.255.255.255:4944
    X Aug 6 10:59 em0 0.0.0.0 255.255.255.255:4944
    X Aug 6 10:59 em0 0.0.0.0 255.255.255.255:4944

    Found https://forum.pfsense.org/index.php?topic=100896.msg562758#msg562758 so it's Bogon?

    btw em0  is the WAN and I use 2.3.2-RELEASE (i386) with pfBlockerNG 2.1.1_2w/DNSBL

    Thanks for any help,

    Cheers Qinn

    Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
    Firmware: Latest-stable-pfSense CE (amd64)
    Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Aug 6, 2016, 1:20 PM

      4944 is not a registered port.  I can find no info on what application/service would send such traffic.

      Is it udp or tcp?  I would really sniff that traffic and open it up in wireshark to see.. 0.0.0.0 is listed in bogon.. But that doesn't mean it is, a client asking for dhcp would send from 0.0.0.0 etc..  But not to port 4944.

      If all your wanting to do is clear up your log you could set a rule to not log the traffic.  But I would be curious what it is so I wold setup packet capture under diag, and then download that file and either post it here or load it up your self in say wireshark..

      How much of it are you seeing?  Is your log just full of it, hundreds of packets a second, a minute, a day?  What?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by Aug 6, 2016, 4:09 PM

        I am interested to see what a packet capture shows as well…

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • P
          Paint
          last edited by Aug 6, 2016, 4:25 PM

          Same. This issue looks odd.  Please capture the packets

          pfSense i5-4590
          940/880 mbit Fiber Internet from FiOS
          BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
          Netgear R8000 AP (DD-WRT)

          1 Reply Last reply Reply Quote 0
          • Q
            Qinn
            last edited by Aug 6, 2016, 6:19 PM Aug 6, 2016, 4:43 PM

            @johnpoz:

            4944 is not a registered port.  I can find no info on what application/service would send such traffic.

            Is it udp or tcp?  I would really sniff that traffic and open it up in wireshark to see.. 0.0.0.0 is listed in bogon.. But that doesn't mean it is, a client asking for dhcp would send from 0.0.0.0 etc..  But not to port 4944.

            If all your wanting to do is clear up your log you could set a rule to not log the traffic.  But I would be curious what it is so I wold setup packet capture under diag, and then download that file and either post it here or load it up your self in say wireshark..

            How much of it are you seeing?  Is your log just full of it, hundreds of packets a second, a minute, a day?  What?

            Thanks for you help ;)

            Status/System/LogsFirewall/Normal View

            Aug 6 18:40:32 em0 0.0.0.0:15217 255.255.255.255:4944 UDP
            Aug 6 18:40:22 em0 0.0.0.0:15154 255.255.255.255:4944 UDP
            Aug 6 18:40:12 em0 0.0.0.0:15100 255.255.255.255:4944 UDP
            Aug 6 18:40:02 em0 0.0.0.0:15055 255.255.255.255:4944 UDP
            Aug 6 18:39:52 em0 0.0.0.0:15019 255.255.255.255:4944 UDP
            Aug 6 18:39:42 em0 0.0.0.0:14992 255.255.255.255:4944 UDP

            There seems to be repetition every 00:00:10

            Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
            Firmware: Latest-stable-pfSense CE (amd64)
            Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

            1 Reply Last reply Reply Quote 0
            • P
              Paint
              last edited by Aug 6, 2016, 4:45 PM

              @Qinn:

              @johnpoz:

              4944 is not a registered port.  I can find no info on what application/service would send such traffic.

              Is it udp or tcp?  I would really sniff that traffic and open it up in wireshark to see.. 0.0.0.0 is listed in bogon.. But that doesn't mean it is, a client asking for dhcp would send from 0.0.0.0 etc..  But not to port 4944.

              If all your wanting to do is clear up your log you could set a rule to not log the traffic.  But I would be curious what it is so I wold setup packet capture under diag, and then download that file and either post it here or load it up your self in say wireshark..

              How much of it are you seeing?  Is your log just full of it, hundreds of packets a second, a minute, a day?  What?

              Thanks for you help ;)

              StatusSystem/LogsFirewall/Normal View

              Aug 6 18:40:35 WLAN 0.0.0.0 224.0.0.1 IGMP
              Aug 6 18:40:34 WLAN 0.0.0.0 224.0.0.1 IGMP
              Aug 6 18:40:32 em0 0.0.0.0:15217 255.255.255.255:4944 UDP
              Aug 6 18:40:22 em0 0.0.0.0:15154 255.255.255.255:4944 UDP
              Aug 6 18:40:12 em0 0.0.0.0:15100 255.255.255.255:4944 UDP
              Aug 6 18:40:02 em0 0.0.0.0:15055 255.255.255.255:4944 UDP
              Aug 6 18:39:52 em0 0.0.0.0:15019 255.255.255.255:4944 UDP
              Aug 6 18:39:42 em0 0.0.0.0:14992 255.255.255.255:4944 UDP

              Do you have DSL? Search on Google and the forums for. "igmp 4944"

              https://forum.pfsense.org/index.php?topic=92054.0

              pfSense i5-4590
              940/880 mbit Fiber Internet from FiOS
              BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
              Netgear R8000 AP (DD-WRT)

              1 Reply Last reply Reply Quote 0
              • Q
                Qinn
                last edited by Aug 6, 2016, 5:32 PM Aug 6, 2016, 5:02 PM

                @Paint:

                @Qinn:

                @johnpoz:

                4944 is not a registered port.  I can find no info on what application/service would send such traffic.

                Is it udp or tcp?  I would really sniff that traffic and open it up in wireshark to see.. 0.0.0.0 is listed in bogon.. But that doesn't mean it is, a client asking for dhcp would send from 0.0.0.0 etc..  But not to port 4944.

                If all your wanting to do is clear up your log you could set a rule to not log the traffic.  But I would be curious what it is so I wold setup packet capture under diag, and then download that file and either post it here or load it up your self in say wireshark..

                How much of it are you seeing?  Is your log just full of it, hundreds of packets a second, a minute, a day?  What?

                Thanks for you help ;)

                StatusSystem/LogsFirewall/Normal View

                Aug 6 18:40:35 WLAN 0.0.0.0 224.0.0.1 IGMP
                Aug 6 18:40:34 WLAN 0.0.0.0 224.0.0.1 IGMP
                Aug 6 18:40:32 em0 0.0.0.0:15217 255.255.255.255:4944 UDP
                Aug 6 18:40:22 em0 0.0.0.0:15154 255.255.255.255:4944 UDP
                Aug 6 18:40:12 em0 0.0.0.0:15100 255.255.255.255:4944 UDP
                Aug 6 18:40:02 em0 0.0.0.0:15055 255.255.255.255:4944 UDP
                Aug 6 18:39:52 em0 0.0.0.0:15019 255.255.255.255:4944 UDP
                Aug 6 18:39:42 em0 0.0.0.0:14992 255.255.255.255:4944 UDP

                Do you have DSL? Search on Google and the forums for. "igmp 4944"

                https://forum.pfsense.org/index.php?topic=92054.0

                Yes I have aDSL Thanks for you help ;)

                I did a capture (Diagnostics/Packet Capture) but it stays empty, I choose WAN as interface any-any and 0.0.0.0 for host => nothing even with and without Enable promiscuous mode still nothing, am I doing something wrong or should I move over to wireshark. Why is the log mentioning em0 and not WAN btw?

                Thanks to all that replied for your help !

                Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                Firmware: Latest-stable-pfSense CE (amd64)
                Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                1 Reply Last reply Reply Quote 0
                • Q
                  Qinn
                  last edited by Aug 6, 2016, 6:29 PM

                  https://forum.pfsense.org/index.php?topic=92054.0

                  Strange thing is I have Draytek Vigir 130 to. Mine is in PPPoA to PPPoE bridge mode so it's transperant.

                  Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                  Firmware: Latest-stable-pfSense CE (amd64)
                  Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by Aug 6, 2016, 7:54 PM

                    Just capture on WAN with the port set to 4944. Leave the hosts as any.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • Q
                      Qinn
                      last edited by Aug 7, 2016, 8:34 AM Aug 7, 2016, 7:11 AM

                      @Derelict:

                      Just capture on WAN with the port set to 4944. Leave the hosts as any.

                      Only filled in the port and set the count to 1 waiting for over 10min still the capture is running, stopped it and the log file is empty? On the status/dashboard/firewall logs there are numerous counts of "em0 0.0.0.0  to 255.255.255.255:4944" (still don't understand why the log is mentioning em0 in stead of WAN).

                      I still wanna analyze this strange log in the firewall, but just out of curiosity I unchecked the logging of block bogon networks (status/system logs/settings), but it doesn't help they are still in the logs?

                      I tested a simple (so with default setting any-any) capture on the WAN and it's working fine, strangely but consistent, there are no captures on 0.0.0.0. in this file?

                      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                      Firmware: Latest-stable-pfSense CE (amd64)
                      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Aug 7, 2016, 10:22 AM

                        wan is going to be assigned to an interface..  What are you interface assignments?  Can you post them.  Is your wan actually a vlan on top of em0?

                        Use tcpdump directly with -i em0 and port udp 4944..  If you see the traffic then you can write it to a file and we can open it in wireshark.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • Q
                          Qinn
                          last edited by Aug 7, 2016, 2:56 PM Aug 7, 2016, 2:27 PM

                          @johnpoz:

                          wan is going to be assigned to an interface..  What are you interface assignments?  Can you post them.  Is your wan actually a vlan on top of em0?

                          Use tcpdump directly with -i em0 and port udp 4944..  If you see the traffic then you can write it to a file and we can open it in wireshark.

                          NIC1 = em0 = WAN
                          NIC2 = em1 = LAN
                          on em1 I have assigned 2 VLAN's

                          tcpdump -> wireshark thanks for pointing that one out to me!

                          So I did a

                          tcpdump -c  10 -w /tmp/port.4944.debug.txt -i em0 'port 4944'

                          than I looked at it with wireshark. To my limited knowledge it seems it originates from the the PPPoA to PPPoE bridge (Draytek Vigor 130) which is between WAN(em0) and ISP as this ISP uses PPPoA and as far as I know this cannot be done by pfSense. I though this bridge should be transparent? I would like to know our opinion  insights, thanks for having a look in advance.

                          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                          Firmware: Latest-stable-pfSense CE (amd64)
                          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Aug 7, 2016, 2:50 PM

                            So did you go into your daytek and

                            UNmarking "Broadcast DSL status to LAN" under ->System Maintenance->Management

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • Q
                              Qinn
                              last edited by Aug 7, 2016, 2:55 PM

                              @johnpoz:

                              So did you go into your daytek and

                              UNmarking "Broadcast DSL status to LAN" under ->System Maintenance->Management

                              I will take a look at it and report back soon, at this time it is not possible to power it down. Not to be on hasty side, but I thought a Draytek Vigor 130 set into PPPoA to PPPoE and as so bridging between ISP and WAN was totally transparent.

                              btw if you have taken a look I remove the file as there's a mac address in there you can't be to carefull ;)

                              Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                              Firmware: Latest-stable-pfSense CE (amd64)
                              Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                              1 Reply Last reply Reply Quote 0
                              • J
                                johnpoz LAYER 8 Global Moderator
                                last edited by Aug 7, 2016, 2:56 PM

                                why would you have to power it down?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • Q
                                  Qinn
                                  last edited by Aug 7, 2016, 3:14 PM

                                  As I said settings it to bridge mode between PPPoA and PPPoe, to the best of my knowledge it has no IP (that's why I said it was transparent) so I don't know how to login on it, is there a way? The moment I disconnect it from the Internet it get's an IP (static).

                                  Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                  Firmware: Latest-stable-pfSense CE (amd64)
                                  Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by Aug 7, 2016, 3:17 PM

                                    well my cable modem is "transparent" ie pfsense gets a public IP..  And I can still access the cable modem via 192.168.100.1 - I would assume daytek would have the same sort of default IP for management even when in "bridge" mode.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • Q
                                      Qinn
                                      last edited by Aug 7, 2016, 3:32 PM

                                      http://just.draytek.com/index.php?option=com_k2&view=item&id=5617&Itemid=293&lang=en From what the specs say it seems that it could send DSl info (you are wright, still not checked it in the hardware though  ;) ), although I never checked this option and as I know not how to access it, I am still mandatory to power it down and connect it to my LAN as I don't know how to set an IP as It is on on the WAN side?

                                      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                      Firmware: Latest-stable-pfSense CE (amd64)
                                      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by Aug 7, 2016, 3:39 PM

                                        well the IP by default is 192.168.1.1 I think - this might be the IP even when in bridge mode.

                                        What IP you using on pfsense lan side?

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • Q
                                          Qinn
                                          last edited by Aug 7, 2016, 3:47 PM

                                          192.168.1.1 so they are the same I can change it, but I still don't understand that there can be a IP thats in the LAN range set on the WAN side  ???

                                          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                          Firmware: Latest-stable-pfSense CE (amd64)
                                          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                          1 Reply Last reply Reply Quote 0
                                          20 out of 43
                                          • First post
                                            20/43
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received