Help me understand what this means in firewall and why
-
Act Time IF Source Destination
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18LAN1 has a few vlans
This is in 2.5.0 firewall monitor and constantly filling up.
I had done some changes but nothing that I can put finger on at the moment. Maybe from pointing DNS to WAN ports?Services-DNS Resolver-General Settings
General DNS Resolver OptionsOutgoing Network Interfaces
selected WAN1 and WAN2Also I am not using any ipv6 but is there for each interface and vlan. I tried turn off everything ipv6 no need no using why there?
Thank you
-
@ttime said in Help me understand what this means in firewall and why:
224.0.0.18
That is VRRP... you have something on lan1 doing VRRP..
Either disable that on whatever is sending it, or setup a rule not to log that traffic if you don't want to see it.
https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol
-
Thank you for your quick reply and help where to look. I traced it to the mobility express ap's using the native vlan.
-
@ttime said in Help me understand what this means in firewall and why:
where to look. I traced it to the mobility express ap's using the native vlan.
Hi,
You can't avoid this, it's a multicast address (VRRP) that Cisco uses to configure Mobility Express
like mine
+++edit:
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/88/user_guide/b_ME_User_Guide_88/appendix.html -
@daddygo Thank you! I was just about to look into that.
-
@ttime said in Help me understand what this means in firewall and why:
I was just about to look into that.
Then I saved you some time
-
If you just don't want to see it on pfsense, you can create a rule in the firewall to not log that traffic..
-
@johnpoz Thank you for recommending that. I created a rule to block same traffic in the lan to destination 224.0.0.18 and the logging stopped.
https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html#figure-fwrules-dont-log-broadcasts
Regards
-
@ttime said in Help me understand what this means in firewall and why:
Thank you for recommending that. I created a rule to block same traffic in the lan to destination 224.0.0.18 and the logging stopped.
Hi,
As I mentioned, this is a useful thing in your system...
(in fact, Iโll go further.... mandatory, if you work with Cisco Mobility stuff)
You will not be able to use this for debugging after this...Itโs worth banning things that really bother you...
It all tastes and slaps are differentBTW:
if you have limited "log" storage space, do not lock down the number of rows forever+++edit:
That was not the solution