Traffic coming from 0.0.0.0, Ethernet switch?



  • Warning, I'm very unfamiliar with pfSense.

    After looking through the System Firewall Logs, I noticed there is quite a bit of traffic coming from 0.0.0.0, to the destination 224.0.0.1. I've researched my question before and noticed someone else on the forum called this "Out-Of-State-Traffic". If that is the correct term for what I'm seeing here, could someone please explain to me exactly what "Out-Of-State-Traffic" is? Also, should I do anything about this, or just ignore it as some other user suggested.

    My setup is as follows:

    Internet -> pfSense Router -> Ethernet Switch -> Asus Nighthawk (Set up in access point mode for wireless and additional Ethernet) -> PC I'm using to write this.



  • Galactic Empire

    IGMP can use 0.0.0.0 as a source address :-

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_igmp/configuration/xe-16/imc-igmp-xe-16-book/imc-customizing-igmp.html

    IGMP Multicast Addresses

    IP multicast traffic uses group addresses, which are Class D IP addresses. The high-order four bits of a Class D address are 1110. Therefore, host group addresses can be in the range 224.0.0.0 to 239.255.255.255.

    Multicast addresses in the range 224.0.0.0 to 224.0.0.255 are reserved for use by routing protocols and other network control traffic. The address 224.0.0.0 is guaranteed not to be assigned to any group.

    IGMP packets are transmitted using IP multicast group addresses as follows:

    IGMP general queries are destined to the address 224.0.0.1 (all systems on a subnet).
    IGMP group-specific queries are destined to the group IP address for which the device is querying.
    IGMP group membership reports are destined to the group IP address for which the device is reporting.
    IGMPv2 leave-group messages are destined to the address 224.0.0.2 (all devices on a subnet).
    IGMPv3 membership reports are destined to the address 224.0.0.22; all IGMPv3-capable multicast devices must listen to this address.


  • Rebel Alliance Global Moderator

    You can setup a rule to not log it if you don't want to see the noise.  Or turn off the multicast at the source, or depending on your switch stop the multicast from hitting pfsense.  If you have a smart/managed switch that allows for igmp snooping you should be able to block it from hitting pfsense and filling up your logs.



  • 0.0.0.0 is the source address used before a device knows it's IP address.  It's often used for DHCP requests.  You can use packet capture or Wireshark, to see where those packets are coming from and what they're doing.