Too many Block IPv4 link-local (1000000101) in log, how to find devices related on network?

Elrick75 · May 15, 2022, 7:13 PM

Hi,

I just take a look to firewall logs and i see a lots of error Block IPv4 link-local (1000000101), i would like to identify the root cause on my LAN.
Is there a simple and effective way to identify device that causes this problem?

Many thanks for your help.

luckman212 · May 15, 2022, 7:55 PM

@elrick75 Do you have a DHCP server enabled on the VLAN_MY_LAN interface? Those source IPs are self-assigned APIPA addresses, indicating the devices have invalid IP info. You have 3 options basically:

turn off logging of those private IPs in System Logs > Settings
add a specific rule to block & not log them
fix the devices so they have properly assigned IPs...

Elrick75 · May 15, 2022, 8:07 PM

@luckman212 said in Too many Block IPv4 link-local (1000000101) in log, how to find devices related on network?:

ces so they have properly assigned IP

Hi,

Making logs disabled could not be useful for me because I won't see verbose devices that cause problems afterwards.
I think that it was more interessting to identify and fix this "shitty" device :)
How can i do that please?

luckman212 · May 15, 2022, 8:11 PM

@elrick75 See if you can find the MAC addresses of the device(s) in Diagnostics > ARP. If not, try pinging one of those 169.xx IPs and then check ARP again. Once you have the MAC, you can look on the device itself (sticker) or look it up in an online database such as https://www.wireshark.org/tools/oui-lookup.html to help identify...

johnpoz · May 16, 2022, 6:35 AM

@elrick75 you most likely want to just sniff for those IP(s) so you can find the mac - then from that you can figure out what device is doing it - then correct the device so its not using 169.254 addresses.

Elrick75 · May 16, 2022, 6:35 AM

@johnpoz How can i sniff devices from the subnet in cause?
Topology is currently three LAN with Cisco switch.
VLAN is applied on Cisco port switch.

johnpoz · May 16, 2022, 7:32 AM

@elrick75 do a packet capture on the interface your logging the trafffic - whatever that vlan_my_lan is..

Packet capture is under the diagnostic menu..

From the mac, you can look on your switch to what port the device is connected to, or if from a wireless network that is a bit harder. But the first 3 octets of the mac you can look up the maker of the device and that should give you some clue to what it is..

If I had to guess, its plex GDM discovery

https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/
UDP: 32410, 32412, 32413, 32414 (current GDM network discovery)

So maybe a firestick or something trying to discover your plex server? Or a plex server..

But seems like you have multiple devices doing it because your source 169.254.x.x are different IPs..

From the packet capture - what are the mac of the devices sending out that directed broadcast to 169.254.255.255.. You can look up the maker here

https://www.macvendorlookup.com/

Elrick75 · May 30, 2022, 6:42 PM

@johnpoz You were right, the problem came from the Plex application, I updated the package in question, this error is no longer present.
Thanks a lot for your help.
By the way, I learned how to use Capture, which could be useful for later.

johnpoz · May 30, 2022, 7:13 PM

@elrick75 said in Too many Block IPv4 link-local (1000000101) in log, how to find devices related on network?:

I learned how to use Capture, which could be useful for later.

Very useful to say the least ;)