Can pfSense/Package monitor a single LAN port?

pf.Beginner

I have a Arduino board plugged into one of my router’s LAN ports as part of an ongoing project. I would like to get the source IP of each packet sent to this device.

Is there a way to do this using the capabilities of pfSense or an add-on package?

I can do this purely in the Arduino, but I would prefer to do it on the network-monitoring level if possible, so as to save programming overhead in the Arduino.

Does anyone know of a simple way to do this? I briefly looked into Suricata, but it seems somewhat intimidating and I’m not sure if it would be a good fit for this simple task.

JKnott

@pf-beginner

Not for packets that originate on the LAN. Only packets that pass through pfsense can be captured with Packet Capture. What you need is a managed switch with port mirroring, or you could set up a data tap.

johnpoz

Doesn't seem like he wants to packet capture.. Just log the source IP, but @jknot is correct you wouldn't be able to capture or log traffic that doesn't flow through pfsense.

Is all source to this IP going to have to be routed through pfsense? If so then be simple enough to log it via the firewall rules that you allow traffic to the device with.

pf.Beginner

@jknott For several months now, I've been planning on swapping my isp router for a pfSense box. The pfSense will sit behind a modem that will handle the actual internet connection. The modem has no routing capacity, so I would be relying on the pfSense to do the routing.

The Arduino will be getting packets from the LAN, but eventually I will also be setting it up so that it is accessible from the WAN as well.

Thanks for mentioning Packet Capture. I will look into this in more detail. Are there any other packages that provide similar functionality that would be worth looking into?

pf.Beginner

@johnpoz said in Can pfSense/Package monitor a single LAN port?:

Is all source to this IP going to have to be routed through pfsense? If so then be simple enough to log it via the firewall rules that you allow traffic to the device with.

Yes, once I upgrade my router to the pfSense box all traffic will be processed by pfSense.

The firewall log seems like the solution I was looking for-- thanks @johnpoz

johnpoz

@pf-beginner only concern with the logging - is you can not keep logs going back forever on pfsense..

While there has been some improvements in rotation and keeping of logs, etc. If you want to keep logs going back X days, or weeks or even months/years your going to want to offload these logs to something for long term storage.

here is example - I don't care to keep logs going back x number days.. As long as have current for the last 24 hours or so I am fine.. So for example here is IP that have recently accessed my plex server, either being my users IPs, or the status checks I do from outside that test if my plex is up. Or the check plex does now and then to validate remote access is available when you enable that..

Here are example of like the uptime robot check, and the other one is plex checking that its remote available when you enable that - it checks now and then..

If your interest is long term storage and easy access to these logs - your going to want to look into sending them to a syslog.

JKnott

@pf-beginner said in Can pfSense/Package monitor a single LAN port?:

Are there any other packages that provide similar functionality that would be worth looking into?

I like to use Wireshark. Even with Packet Capture, I prefer to download the captures to analyze them in Wireshark.

pf.Beginner

@johnpoz said in Can pfSense/Package monitor a single LAN port?:

If your interest is long term storage and easy access to these logs - your going to want to look into sending them to a syslog.

As a starting point, I was considering a daily download of information. I will look into writing a script that could automate the process.

@JKnott I will compare the info provided by the firewall logs and the packet capture and see if there is anything in the packet capture that is of particular interest.

Thanks, @johnpoz and @JKnott for your help!

johnpoz

What are you looking for exactly? If all you want to know is the source IP, log is fine - if you actually want to look at the payload of what is sent and received you would want a packet capture... Long term storage of packet captures is not all that simple..