Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Traffic coming from 0.0.0.0, Ethernet switch?

    General pfSense Questions
    4
    4
    1009
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • VivoAzzurro
      VivoAzzurro last edited by

      Warning, I'm very unfamiliar with pfSense.

      After looking through the System Firewall Logs, I noticed there is quite a bit of traffic coming from 0.0.0.0, to the destination 224.0.0.1. I've researched my question before and noticed someone else on the forum called this "Out-Of-State-Traffic". If that is the correct term for what I'm seeing here, could someone please explain to me exactly what "Out-Of-State-Traffic" is? Also, should I do anything about this, or just ignore it as some other user suggested.

      My setup is as follows:

      Internet -> pfSense Router -> Ethernet Switch -> Asus Nighthawk (Set up in access point mode for wireless and additional Ethernet) -> PC I'm using to write this.


      1 Reply Last reply Reply Quote 0
      • NogBadTheBad
        NogBadTheBad last edited by

        IGMP can use 0.0.0.0 as a source address :-

        https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_igmp/configuration/xe-16/imc-igmp-xe-16-book/imc-customizing-igmp.html

        IGMP Multicast Addresses

        IP multicast traffic uses group addresses, which are Class D IP addresses. The high-order four bits of a Class D address are 1110. Therefore, host group addresses can be in the range 224.0.0.0 to 239.255.255.255.

        Multicast addresses in the range 224.0.0.0 to 224.0.0.255 are reserved for use by routing protocols and other network control traffic. The address 224.0.0.0 is guaranteed not to be assigned to any group.

        IGMP packets are transmitted using IP multicast group addresses as follows:

        IGMP general queries are destined to the address 224.0.0.1 (all systems on a subnet).
        IGMP group-specific queries are destined to the group IP address for which the device is querying.
        IGMP group membership reports are destined to the group IP address for which the device is reporting.
        IGMPv2 leave-group messages are destined to the address 224.0.0.2 (all devices on a subnet).
        IGMPv3 membership reports are destined to the address 224.0.0.22; all IGMPv3-capable multicast devices must listen to this address.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          You can setup a rule to not log it if you don't want to see the noise.  Or turn off the multicast at the source, or depending on your switch stop the multicast from hitting pfsense.  If you have a smart/managed switch that allows for igmp snooping you should be able to block it from hitting pfsense and filling up your logs.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

          1 Reply Last reply Reply Quote 0
          • JKnott
            JKnott last edited by

            0.0.0.0 is the source address used before a device knows it's IP address.  It's often used for DHCP requests.  You can use packet capture or Wireshark, to see where those packets are coming from and what they're doing.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • First post
              Last post