Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Identifying IGMP 0.0.0.0 On WAN Port Every 10-20 Seconds

    Scheduled Pinned Locked Moved Firewalling
    igmp0.0.0.0wan portport name
    5 Posts 2 Posters 832 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      urbnsr
      last edited by urbnsr

      I have read a few posts covering the logging of bogon traffic, but thought this may be slightly different.

      On our pfSense v.2.7.0, I am finding firewall log entries as:

       	Aug 29 09:14:23 	igb1 	Default deny rule IPv4 	0.0.0.0		224.0.0.1		IGMP
      

      This port is a WAN port configured with a PPPoE connection. I find these entries every 10-20 seconds and noticed the interface listed in the logs is not the friendly name, but the port name. I believe I can stop logging these block entries, but that won't make the traffic stop. Disabling the configuration (in pfSense) of this interface does not stop the traffic. Timing of the traffic appears precise at 13, 23, 43 and 53 seconds past the minute - even after power-cycling the ISP's radio/modem (wireless connection just after our pfSense box) = Interface came up at 40 seconds after the minute per pfSense dashboard and 3 seconds later the traffic starts again.

      Packet Capture lists the port, igb1, as unassigned even though Packet Capture also offers the WAN (pppoe0) (same physical port). I find two different MAC addresses alternating each packet attempt. Capture on WAN (pppoe0) does not return anything when specifying 0.0.0.0 as source. I also find non-bogon traffic coming in on the unassigned igb1 port. Some supposedly resolve back to IANA Special Use type. These are not the same time or as frequent (from two different IANA IPs one second apart at every 30 second intervals.

      Since the 0.0.0.0 traffic seems overly frequent, I am wondering if I should look into this further? Should I contact the ISP and see if this is somehow sourced by them (attempting to verify legitimate account, maybe?)? Or...?

      Thanks for any opinions. Sorry this post ended up so long.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @urbnsr
        last edited by

        @urbnsr
        Seems to be multicast noise (IGMP), not ICMP.

        Is there any device in between pfSense and the ISP? I don't expect this coming from the ISP over PPPoE.
        If there is a device at your side sending this, disable it on it or ignore it.

        U 1 Reply Last reply Reply Quote 0
        • U
          urbnsr @viragomann
          last edited by

          @viragomann Thanks for reply.

          Yes, I meant IGMP - Sorry, my typo (and edited).

          Only thing after pfSense on this port is ISP radio/modem which connects to their tower equipment 1/2 mile away.

          Does the fact that pfSense is specifying the network port and not the friendly name indicate anything to wonder about?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @urbnsr
            last edited by

            @urbnsr said in Identifying IGMP 0.0.0.0 On WAN Port Every 10-20 Seconds:

            Does the fact that pfSense is specifying the network port and not the friendly name indicate anything to wonder about?

            I guess, the IGMP packets are seen on the parent interface, not on the PPPoE WAN. Maybe you haven't state a name for it?

            U 1 Reply Last reply Reply Quote 0
            • U
              urbnsr @viragomann
              last edited by

              This is a named interface (WAN2) and can find reference to it in the firewall logs (non-0.0.0.0 source).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.