Outbound traffic from LAN sourced from unknown external public IP address
-
I am seeing traffic originating from my LAN coming from an unknown public IP address and destined for known IP addresses on my LAN. This doesn't seem right to me. The example below if off of my LAN interface, em1. Can someone help me understand this? Could this be something on my LAN spoofing connections to internal servers?
Feb 6 10:34:00 filterlog: 87,16777216,,1000004765,em1,match,pass,out,4,0x0,,113,19058,0,DF,6,tcp,52,199.202.216.106,192.168.1.5,56152,56555,0,S,352846900,,8192,,mss;nop;wscale;nop;nop;sackOK
-
I am seeing traffic originating from my LAN coming from an unknown public IP address
Why do you think so?
The log says, the packet goes out em1.
This traffic would be permitted by a floating rule. -
em1 is my LAN interface. Why is any address other than a LAN address leaving my LAN? Also, why is a non-LAN address leaving my LAN and going to an address that actually exists on my LAN. My LAN net is 192.168.1.x. I would not expect to see any other address leaving my LAN, especially not a public IP that does not exist behind my firewall.
-
I just noticed that these events appear to be torrent connections based on the port. I still don't understand the logic though.
-
Why is any address other than a LAN address leaving my LAN? Also, why is a non-LAN address leaving my LAN and going to an address that actually exists on my LAN.
I guess the reason is, that it is allowed by rules.
Now, what's about your floating rules? Have you any floating rules?
Have you activated UPnP?Check Status > System Logs > Firewall for this entry. pfSense will show the appropriate firewall rule there.
-
1000004765 <– That's the rule that passed it:
Diagnostics > Command Prompt, Execute grep 1000004765 /tmp/rules.debug
-
Ok. I'm an idiot. I never thought about actually looking at the rule instead of trying to make sense out of the log. Thanks. Man, I hate when I overlook something that simple. Now to figure out what this rule is doing.
-
Ok. So, that actually doesn't help answer my question. I was not so much concerned about whether or not it was blocked. I can see that from the logs. It was blocked as it should have been. My question was why would I see, on my LAN interface, source addresses that are external? It appears as though these source addresses are behind my LAN, which they are not. Should I ever see an external NET address as a source from my LAN interface outbound? That is what I see from the sample event I posted. Please tell me if I am misinterpreting.
In other words, I would expect every log from my LAN interface OUTBOUND, whether it is blocked or passed, to be sourced with a LAN address and not an external address.
-
Because that is logged in the OUTBOUND direction, from the perspective of LAN (em1). So things that are OUTBOUND on LAN would have a source from somewhere other than LAN.
-
I had just figured that out and was coming back to close this out and I saw your post. Yes, out is out of the pfSense box and into the LAN and in is into the pfSense box and out to the world. It makes sense now.