Need help on unknown subnet's appearing on our netowork



  • Hi!

    Just wondering how i can check on where I can find the source of unknown subnet's appearing on our pfsense firewall logs? :D  Please see attached.  My concern is i'm seeing connections from 192.168.0.44, 192.168.1.35, 192.168.1.33, 192.168.0.44 (basically connections from 192.168.1.xxx and 192.168.0.xxx)

    TIA!



  • LAYER 8 Global Moderator

    What is the mac of these IPs?  Track them down that way.

    Why are you natting on your wifi router 2?  So I take it your only seeing this traffic on your 192.168.2 interface..

    You show pfsense connected to this router is on 192.168.10/?  But then you show its wan as 192.168.11.?  And its dhcp server is on?  So that is confusing on its own.



  • Hi John!

    em2 interface's IP is 192.168.10.1 its connected to WIFI Router 2's WAN port, the ip address of the wifi router 2 is 192.168.11.xxx

    DCHP server is on on both em2 (i can turn this off i think as i set static arp for wifi router 2)  and wifi router 2  (dhcp on for clients connected to it)

    I'm seeing wifi router 2's traffic as 192.168.10.100  ( i guess thats all traffic from all that is connected to the wifi router 2)

    i'm sorry, but what do you mean why am i natting wifi router 2?  (newbie here)


  • LAYER 8 Global Moderator

    "I'm seeing wifi router 2's traffic as 192.168.10.100"
    "i'm sorry, but what do you mean why am i natting wifi router 2?"

    So your natting all clients of wifi router 2 to this 10.100 address.. All your clients of your wifi router on our 192.168.11/24 – why are you doing that I would have to ask.. Why would you not just being using this wifi router as just AP?  Seems pointless to nat this.. Since pfsense is already natting your 192.168 address to your public IP, etc.

    But this has really nothing to do with your odd ball IPs your seeing which I assume is only on em1..  So either your running some dhcp servers on this network that your not aware of or you have devices that have these IPs set, etc.  I look to see what the mac address of these IPs are and then track them down by mac address, from the mac address you can look up the make of the device to give you clues to what device it is.  If your switch is smart it should be able to tell you which port the device is plugged into, etc.



  • Hi John!

    Thanks for being patient to reply!

    The reason why I am 'natting' wifi router 2 is mainly because I dont want client's from wifi router 2 to have access to the file sharing on 192.168.2.xxx subnet.  Although I have also made a firewall to block 192.168.10.xxx from accessing 192.168.2.xxx subnet.

    Yes, you are correct, it's happening on em1.  Will try to take a lot for the MAC address of the suspicious connections.


  • LAYER 8 Global Moderator

    "because I dont want client's from wifi router 2 to have access to the file sharing on 192.168.2.xxx subnet"

    What??  Makes no sense - if you don't want clients from your em2 network not to access em1 or services on em1 then just firewall them, there is no reason to nat them..



  • @johnpoz:

    "because I dont want client's from wifi router 2 to have access to the file sharing on 192.168.2.xxx subnet"

    What??  Makes no sense - if you don't want clients from your em2 network not to access em1 or services on em1 then just firewall them, there is no reason to nat them..

    Hi John!

    I will take your advice, and will just use wifi router 2 as AP, turning off DHCP server, and plugging em2 to lan port of the router.  I'm new to networking, and specially to Pfsense.  I'm very thankful to this community as I was able to set up our pfsense from scratch via researching here and helpful member such as you :)

    Thanks again!


  • LAYER 8 Global Moderator

    That doesn't fix your odd IP problem… But it is cleaner and better setup.



  • What's the first octet of your WAN IP on pfSense?  Like 214.x.x.x

    I wonder if the IPs that you're seeing are from your Modem's LAN, either from wifi or wire.  If the modem isn't in bridged mode (if possible with your model), you could be seeing connections from that subnet.

    Just a thought.



  • @DanC:

    What's the first octet of your WAN IP on pfSense?  Like 214.x.x.x

    I wonder if the IPs that you're seeing are from your Modem's LAN, either from wifi or wire.  If the modem isn't in bridged mode (if possible with your model), you could be seeing connections from that subnet.

    Just a thought.

    WAN IP is 49.xxx.xxx.xxx

    connection interface WAN, and destination to something like 224.0.0.251:5353



  • 224.0.0.0/24 is an IP block for the local broadcast domain. Port 5353 seems to be associated with iTunes.

    Maybe your ISP is allowing broadcast traffic.


  • Banned

    This post is deleted!

Log in to reply