Help me understand what this means in firewall and why

ttime

Act Time IF Source Destination
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18
x Mar 24 14:20 LAN1 0.0.0.0 224.0.0.18

LAN1 has a few vlans

This is in 2.5.0 firewall monitor and constantly filling up.
I had done some changes but nothing that I can put finger on at the moment. Maybe from pointing DNS to WAN ports?

Services-DNS Resolver-General Settings
General DNS Resolver Options

Outgoing Network Interfaces
selected WAN1 and WAN2

Also I am not using any ipv6 but is there for each interface and vlan. I tried turn off everything ipv6 no need no using why there?

Thank you

johnpoz

@ttime said in Help me understand what this means in firewall and why:

224.0.0.18

That is VRRP... you have something on lan1 doing VRRP..

Either disable that on whatever is sending it, or setup a rule not to log that traffic if you don't want to see it.

https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol

ttime

Thank you for your quick reply and help where to look. I traced it to the mobility express ap's using the native vlan.

DaddyGo

@ttime said in Help me understand what this means in firewall and why:

where to look. I traced it to the mobility express ap's using the native vlan.

Hi,

You can't avoid this, it's a multicast address (VRRP) that Cisco uses to configure Mobility Express

like mine

+++edit:
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/88/user_guide/b_ME_User_Guide_88/appendix.html

ttime

@daddygo Thank you! I was just about to look into that.

DaddyGo

@ttime said in Help me understand what this means in firewall and why:

I was just about to look into that.

Then I saved you some time

johnpoz

If you just don't want to see it on pfsense, you can create a rule in the firewall to not log that traffic..

ttime

@johnpoz Thank you for recommending that. I created a rule to block same traffic in the lan to destination 224.0.0.18 and the logging stopped.

https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html#figure-fwrules-dont-log-broadcasts

Regards

DaddyGo

@ttime said in Help me understand what this means in firewall and why:

Thank you for recommending that. I created a rule to block same traffic in the lan to destination 224.0.0.18 and the logging stopped.

Hi,

As I mentioned, this is a useful thing in your system...
(in fact, I’ll go further.... mandatory, if you work with Cisco Mobility stuff)
You will not be able to use this for debugging after this...

It’s worth banning things that really bother you...
It all tastes and slaps are different

BTW:
if you have limited "log" storage space, do not lock down the number of rows forever

+++edit:
That was not the solution