Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is my log flooded with blocked traffic from 0.0.0.0? [SOLVED]

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lavito
      last edited by

      I have a WAN setup on em0 via pppoe0 and a LAN on em1.  WAN is connected to a Modem which provides access to internet.

      I see my log flooded  with blocked traffic from 0.0.0.0. I am not sure I have seen this from the start but it does not look healthy.

      I have seen some posts referring to this as a bug or explanations that do not make seance to me.
      So I would appreciate if somebody can explain who\what is initiating these connections?

      Capture.PNG
      Capture.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        https://forum.pfsense.org/index.php?topic=92054.0

        Seems like the words pppoe and dsl are common and related to your firewall spam.

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott
          last edited by

          0.0.0.0 is the address used by devices that don't yet have an IPv4 address.  For example DHCP requests will have 0.0.0.0 as a source address, as will duplicate address detection ARP requests.  So, it's normal to see some on the network.  However, you can use packet capture to see what the MAC address is for those packets, to determine the source.  You'll have to download the capture and view the file in Wireshark to see the MAC addresses.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • L
            lavito
            last edited by

            @kejianshi
            Yes, I did read this before I posted but it does not really tell you how you can find out what it is, apart from the point that it may be a bug in pfSence. (and I am not sure why would this be a bug, unless non existent traffic.

            @JKnott:

            0.0.0.0 is the address used by devices that don't yet have an IPv4 address.  For example DHCP requests will have 0.0.0.0 as a source address, as will duplicate address detection ARP requests.  So, it's normal to see some on the network.  However, you can use packet capture to see what the MAC address is for those packets, to determine the source.  You'll have to download the capture and view the file in Wireshark to see the MAC addresses.

            That's a good point - I'll it check out…

            1 Reply Last reply Reply Quote 0
            • L
              lavito
              last edited by

              @johnpoz:

              So did you go into your daytek and

              UNmarking "Broadcast DSL status to LAN" under ->System Maintenance->Management

              User johnpoz solved this in the above post.

              When I un-ticked this, no flooding anymore!!!! Yeee  8)

              For me this worked as the source of my broadcast traffic was my DSL modem, for other people this might be due to other traffic broadcasts in their networks.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.