Origin of outbound WAN connection

  • I know this is probably much more simple than I am trying to make it, but I could use someone to help clarify this.  I am seeing traffic originating from my firewalls WAN address and making outbound connections to adware sites.  I know for a fact that this traffic is from a machine on the LAN.  I am not currently running a proxy on the firewall.  Without a proxy, is there anyway to tie that traffic back to the originating host on my LAN?

  • Go to Diagnostics>pfTop

    You can view your active connections by IP Pair. You may need to increase the "Maximum # of States"

    Also, consider installing pfTopNG package. It will give you a GUI of your traffic flow and logging capability.

  • The state table (Diagnostics -> States) will also show the assocations between the WAN interface states and the LAN interface states.

Log in to reply