Footprint of Old Box in New Box?
-
A year and a half-ago, I had a Mac Mini server (2011) as my pfSense box with Intel NIC in a thunderbolt enclosure and used the NIC on the Mac as a DMZ for a FreePBX system. I was using pfSense 2.5-devel and because the Mac internal fan driver, I decided to park the project shortly before pfSense v2.5 was release. I decided later to re-purpose the Mac Mini and gotten a Lenovo M93 box.
When I had received the Lenovo, I lost Internet service. So, I placed two new SSD in the Lenovo and only transferred the NIC (i350x2) to the Lenovo box. pfSense v2.5 had been released; so, I installed a fresh copy and restored my configuration I had on the Mac Mini. The Lenovo pretty much sat an entire year without using and used my phones as hotspot. My Internet was restored two weeks ago so, I engaged the Lenovo, upgrade to v2.5.2 and began setup a DMZ for my home office/lab phone system using FreePBX. I started noticing my old PBX address in the firewall log...thought that was odd as it doesn't exist on my network anywhere.
So, I changed the Mac address on my WAN to force change a new WAN IP. Shortly thereafter, the same address appeared on the firewall again. So, I decided to do packet capture for close to two hrs, but when I viewed the file, it was empty. So, I launched Wireshark on another MAC and opened the file, still resulted in empty file. Now, during this two hours capture period, the firewall log showed multiple times connection requests either TCP, ICMP, or UDP.
So, my question is did somehow a footprint of my old FreePBX address (10.9.27.27) got etched into my backup? If so, where would it be? I even uninstalled pfBlockerNG making sure not to keep the old configuration, since the connection request were coming from IP's listed with those feed, reboot, then install the packet filter again...still getting connection request...see below example from firewall log. I know it's false positive...I don't want to see it anymore since it doesn't exist as a valid destination on my network
-
It's because you have a port forward on WAN using that old address. You won't see anything in a packet capture on WAN because at that point it's using the WAN address as destination. Since it' blocked in the firewall it is not being forwarded and you would not see it in an internal capture either.
Steve
-
@stephenw10 said in Footprint of Old Box in New Box?:
It's because you have a port forward on WAN using that old address. You won't see anything in a packet capture on WAN because at that point it's using the WAN address as destination. Since it' blocked in the firewall it is not being forwarded and you would not see it in an internal capture either.
Steve
But, I am not using that address (10.9.27.27 or network); it's not configured anywhere on the new box nor did I had port forwarding setup on the old box...what I had in the pass was 1:1 NAT.
-
Ok 1:1 NAT is still forwarding traffic to it, all ports in that case. Remove the 1:1 NAT rule.
-
@stephenw10 said in Footprint of Old Box in New Box?:
Ok 1:1 NAT is still forwarding traffic to it, all ports in that case. Remove the 1:1 NAT rule.
Okay. Removed, thanks Steve.
-
I would also remove the MAC spoofing since that is doing nothing.
-
@stephenw10 said in Footprint of Old Box in New Box?:
I would also remove the MAC spoofing since that is doing nothing.
Okay, will do that also, thanks.
