How to identify strange private IP address on LAN interface?

  • Hi there,

    in our firewall log we discovered a lot of entries like this:

    5,,,1000000103,igb0,match,block,in,4,0xc0,,63,60124,0,none,1,icmp,116,,,unreach,host unreachable96

    igb0 is our LAN interface, and we neither know about a device with the IP address nor do we have a subnet fitting to this address. The destinations are varying, often client stuff like Facebook, Google, Akamai, ...

    What can we do to investigate this? The packet capture "just" tells us that it is traffic between our switches and the LAN interface of our pfSense.

    Thanks and greets

  • LAYER 8 Global Moderator

    Sniff on your pfsense, find the mac and then follow that mac into your network to find the box sending the traffic. Are you saying that your only able to see the mac of some downstream layer 3 switch routing the traffic.

    If so you will have to sniff downstream to find the offending traffic to find the mac to track down the host sending it.

Log in to reply