States to undefined net address??

furom

Hi,

I found more peculiar things I certainly think is odd.

I have two Synology NAS's I use as NFS storage. These work fine, but in the log I find blocks of ports 137 & 138 originating from them trying to reach an address outside defined scope! Network is a /28 net (14 addresses) and the odd thing is the NAS's somehow have created icmp states to the 15th (non-existent) address in that network...

In Diagnostics/States I have two identical entries, one for each NAS I suppose

I have checked and rechecked the NAS's (.10 & .11) for the .15 address, but it is not defined anywhere. That is strange, but more so, why does pfSense create states for an address that cannot exist using a /28 netmask?

rcoleman-netgate

@furom What's in the ARP table for that? Diagnostics->ARP

furom

@rcoleman-netgate said in States to undefined net address??:

@furom What's in the ARP table for that? Diagnostics->ARP

Well, the .15 address is not in the ARP table

rcoleman-netgate

@furom I don't see the point in redacting anything that is internal to your network and doesn't show any external IP addresses -- it's just wasted energy

I would do an nmap scan of your network and see if there's something sitting on that IP but not responding to requests. You can do a packet capture JUST on that IP address if you prefer. Leave the capture open with a 0 packet limit and let it run an extended period of time. Delete the state, see if it comes back, if it does stop the pcap and look at it.

furom

@rcoleman-netgate said in States to undefined net address??:

@furom I don't see the point in redacting anything that is internal to your network and doesn't show any external IP addresses -- it's just wasted energy

I would do an nmap scan of your network and see if there's something sitting on that IP but not responding to requests. You can do a packet capture JUST on that IP address if you prefer. Leave the capture open with a 0 packet limit and let it run an extended period of time. Delete the state, see if it comes back, if it does stop the pcap and look at it.

Well, I will try the nmap first and if that does not yield anything, the pcap. I don't really like that stuff try to address something that aren't even defined. Thanks for the suggestions

johnpoz

@furom said in States to undefined net address??:

Well, the .15 address is not in the ARP table

That doesn't stop the creation of a state - state would only be created to something that is routed so if this .1 box is sending traffic to pfsense.. And pfsense rules would allow creation of the state, even if there is nothing actually there..

You need to figure out why whatever that .1 box is sending traffic to .15

And with @rcoleman-netgate if those are rfc1918 addresses - why would you hide them?

as to state thing - for example -- I am pinging a address on one of my other vlans.. And there is nothing on that IP address.

Notice there still a state.. So figure out why that .1 is sending icmp traffic to .15 clearly it is sending traffic, or there would be no state in pfsense. Is pfsense the .1? Maybe you had setup some sort of monitoring to that IP, like for example a HAproxy setup it will create traffic to whatever IP you put in there, even if no longer there..

furom

@johnpoz Hi and sorry for late answer. The icmp was sent to that net's broadcast address. Why is still unknown, I suppose that is a question for my NAS vendor... I have made a habit of masking most addresses, agree rfc1918 is not really necessary