Logging nat traffic to a specific IP
-
I have a fairly basic LAN <-> WAN pfsense rig sitting between my network and my modem. (it is virtualized on a multi-NIC win 2k8 box, but I think that's transparent to the pfsense)
I believe I have a client on my LAN which is pinging out to a botnet sinkhole (as reported by the spamhous CBL).
I've enabled all the logging that I can think of, and am feeding them to a syslog server.
I see entries for what appears to be the offending traffic hitting 192.42.119.41, but I don't see the internal IP address in the logs, just the WAN IP. I've substituted my actual wan ip address with {WAN_IP} in the example below:
79,,,1000002761,hn1,match,pass,out,4,0x2,0,127,15810,0,DF,6,tcp,52,{WAN_IP},192.42.119.41,6035,80,0,SEC,2192795705,,8192,,mss;nop;wscale;nop;nop;sackOK
Any thoughts on what I need to do to log/view the internal LAN ip address of the offending traffic?
-
@jordanbones said in Logging nat traffic to a specific IP:
I believe I have a client on my LAN which is pinging out to a botnet sinkhole
Well if you were logging all passed traffic on the lan you would see this in your logs. Or if you setup a specific allow or block rule with this dest you would also see it in your logs.
Or just look in your current state table if this device is constantly doing it. Or setup a packet capture on your lan interface looking for this traffic as dest host IP.
-
Thanks John, I thought I had the logging turned on for the "Default allow LAN to any rule", but now I'm doubting that it was turned on last time around. I've since ensured it's enabled, but also added a specific firewall LAN rule for that destination, and ensured it has logging enabled on it too.
Usually the offending traffic occurs once a day, so I'll see what gets logged next. Thanks!
-
Well as long as that rule is above your any any rule.. Remember rules are evaluated top down, first rule to trigger wins.