How to identify strange private IP address on LAN interface?



  • Hi there,

    in our firewall log we discovered a lot of entries like this:

    filterlog:
    5,,,1000000103,igb0,match,block,in,4,0xc0,,63,60124,0,none,1,icmp,116,10.5.184.252,185.60.216.11,unreach,host 10.5.184.252 unreachable96
    

    igb0 is our LAN interface, and we neither know about a device with the IP address 10.5.184.252 nor do we have a subnet fitting to this address. The destinations are varying, often client stuff like Facebook, Google, Akamai, ...

    What can we do to investigate this? The packet capture "just" tells us that it is traffic between our switches and the LAN interface of our pfSense.

    Thanks and greets
    Stephan


  • Rebel Alliance Global Moderator

    Sniff on your pfsense, find the mac and then follow that mac into your network to find the box sending the traffic. Are you saying that your only able to see the mac of some downstream layer 3 switch routing the traffic.

    If so you will have to sniff downstream to find the offending traffic to find the mac to track down the host sending it.