Weird system logs. Please help

rarken

My internet went down for about 10 seconds last night, so I checked the logs to see what it looked like. I'm not sure what it means, and if I should be concerned.

Aug 4 22:30:26 php-fpm 340 /rc.linkup: Shutting down Router Advertisment daemon cleanly
Aug 4 22:30:26 check_reload_status Reloading filter
Aug 4 22:30:26 php-fpm 5790 /rc.linkup: DEVD Ethernet attached event for wan
Aug 4 22:30:26 php-fpm 5790 /rc.linkup: HOTPLUG: Configuring interface wan
Aug 4 22:30:26 check_reload_status rc.newwanip starting re0
Aug 4 22:30:26 php-fpm 5790 /rc.linkup: Gateway, none 'available' for inet6, use the first one configured. ''
Aug 4 22:30:26 check_reload_status Restarting ipsec tunnels
Aug 4 22:30:27 php-fpm 176 /rc.newwanip: rc.newwanip: Info: starting on re0.
Aug 4 22:30:27 php-fpm 176 /rc.newwanip: rc.newwanip: on (IP address: [EXTERNAL IP]) (interface: WAN[wan]) (real interface: re0).
Aug 4 22:30:27 php-fpm 176 /rc.newwanip: IP Address has changed, killing states on former IP Address 192.168.100.10.
Aug 4 22:30:28 php-fpm 176 /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
Aug 4 22:30:28 php-fpm 5790 /rc.linkup: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1564983028] unbound[40625:0] error: bind: address already in use [1564983028] unbound[40625:0] fatal error: could not open ports'
Aug 4 22:30:29 php-fpm 176 /rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1564983029] unbound[53340:0] error: bind: address already in use [1564983029] unbound[53340:0] fatal error: could not open ports'
Aug 4 22:30:30 php-fpm 32538 /rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Aug 4 22:30:30 php-fpm 32538 /rc.newwanip: Creating rrd update script
Aug 4 22:30:32 check_reload_status updating dyndns wan
Aug 4 22:30:32 check_reload_status Reloading filter
Aug 4 22:30:32 php-fpm 32538 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - [EXTERNAL IP] -> [EXTERNAL IP] - Restarting packages.
Aug 4 22:30:32 check_reload_status Starting packages
Aug 4 22:30:33 php-fpm 341 /rc.start_packages: Restarting/Starting all packages.
Aug 4 22:30:34 php-fpm 176 /rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Aug 4 22:30:34 php-fpm 176 /rc.newwanip: Creating rrd update script
Aug 4 22:30:36 php-fpm 176 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 192.168.100.10 -> [EXTERNAL IP] - Restarting packages.
Aug 4 22:30:36 check_reload_status Starting packages
Aug 4 22:30:37 php-fpm 341 /rc.start_packages: Restarting/Starting all packages.

Two things concern me:

1. Why is the router restarting IPSec and OpenVPN; I DON'T have any VPNs.
2. What is going on with 192.168.100.10?

/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 192.168.100.10 -> [EXTERNAL IP] - Restarting packages.

^ What is that?

traceroute to 192.168.100.10 (192.168.100.10), 64 hops max, 52 byte packets
1 infernape (192.168.0.1) 3.980 ms 1.342 ms 1.406 ms
2 96.120.60.157 (96.120.60.157) 13.508 ms 19.249 ms 19.870 ms
3 * * *
4 * * *
^C

Even though it is a reserved LAN IP it routes outside of my local network. infernape is my router, and 96.120.60.157 is the ISP.

What on earth is going on? I hope it's just my ignorance and not having been hacked.

stephenw10

The scrips restart VPNs because they might on that WAN interface. If you don't have any configured they don't do anything.

Is 192.168.100.0/24 your LAN subnet? If not it's probably a cable modem handing out an IP address via DHCP to enable you to connect for diagnostic info. They often do that if they lose upstream sync. Check the DHCP logs if you still have them for dhclient entries at the time.
You can prevent that by rejecting leases from the modem if that's what's happening:
https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv4-wan-types.html#dhcp

Steve

rarken

Thank you for replying!

I'm glad the VPN bit is explained. Thank you!

But why would 192.168.100.10 route through the ISP? Especially if it is my cable modem. That part is still confusing me.

stephenw10

If it's not a locally defined subnet or has a static route then it will be sent via the default route, usually your WAN gateway.

That's the expected behaviour.

Steve

johnpoz

Router doesn't know to not send rfc1918 out its default.. It just knows hey not locally connected to that network, have no routes to that - so send it to the default gateway.. He will know how to get there ;)

Yeah 192.168.100.1 is default modem IP for a lot of devices.. So yeah when the modem looses sync it will hand IP on that network so you can access its status/config pages..

So if your modem rebooted or lost its sync, then sure pfsense could get 192.168.100 address on its wan.