How to identify strange private IP address on LAN interface?

Sherminator

Hi there,

in our firewall log we discovered a lot of entries like this:

filterlog:
5,,,1000000103,igb0,match,block,in,4,0xc0,,63,60124,0,none,1,icmp,116,10.5.184.252,185.60.216.11,unreach,host 10.5.184.252 unreachable96

igb0 is our LAN interface, and we neither know about a device with the IP address 10.5.184.252 nor do we have a subnet fitting to this address. The destinations are varying, often client stuff like Facebook, Google, Akamai, ...

What can we do to investigate this? The packet capture "just" tells us that it is traffic between our switches and the LAN interface of our pfSense.

Thanks and greets
Stephan

johnpoz

Sniff on your pfsense, find the mac and then follow that mac into your network to find the box sending the traffic. Are you saying that your only able to see the mac of some downstream layer 3 switch routing the traffic.

If so you will have to sniff downstream to find the offending traffic to find the mac to track down the host sending it.