Noticing traffic spikes on VLANs with no clients?
-
I created 4 VLANs on my pfSense (Private, Office, IoT and Guest) and currently have no clients at all connected to either the Office or Guest VLAN. I've noticed on the traffic graphs on my dashboard occasional spikes in activity so I ran a packet capture to reveal what it was. I'm not entirely experienced enough in networking to understand the significance of what the packet capture revealed (ARP request?) and if this is completely normal activity? Any additional knowledge about this is appreciated.
-
Set your ACL to log traffic to see what’s connecting. That is a ton of arp requests maybe set that MAC address to static if it’s a NAS or something
-
What is 10.18.40.1? Looks like that is running a scan for any other clients in the subnet.
-
@stephenw10 My Office VLAN ID is 40 so 10.18.40.1 is my default gateway for that subnet as I created a DHCP pool address of 10.18.40.100 to 10.18.40.200. Is this normally expected to have that gateway address routinely scan?
-
@TechNetwork1 said in Noticing traffic spikes on VLANs with no clients?:
My Office VLAN ID is 40 so 10.18.40.1 is my default gateway
You mean that is pfsense IP on vlan 40? I would guess you have ntop package installed, and its doing a network discovery - that is a arp scan to see what IPs are there so it can do a discovery of services on the ones that answer.
https://www.ntop.org/ntopng/network-device-discovery-part-1-active-discovery/
You can either turn it off, or change its time to how often you want it to do it.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
That ^
-
@johnpoz said in Noticing traffic spikes on VLANs with no clients?:
I would guess you have ntop package installed, and its doing a network discovery - that is a arp scan to see what IPs are there so it can do a discovery of services on the ones that answer.
ntopng Active Discovery does a lot more than just arp scans. It does a lot of "evil" things, including ssh fingerprinting. I cannot recommend strongly enough that it be disabled.
-
@dennypage just for clarity - I don't even have ntop enabled. I had to enable it to get the screen shot ;) The only time I would have use of it would be if looking into something specific.. And yeah not really a fan of auto discovery of any sort. Unless it was manually triggered and knew exactly what is was going to do..
It can be a very useful tool, but its also going to be a performance hit.. To me it makes more sense as a troubleshooting tool vs hey let this thing run 24/7/365
-
@johnpoz said in Noticing traffic spikes on VLANs with no clients?:
And yeah not really a fan of auto discovery of any sort. Unless it was manually triggered and knew exactly what is was going to do.
Same page.
What really sets me off is the documentation for ntopng makes it sound like some benign thing. You have to read the code to see what it actually does.
I had a buddy who tested the new ntopng package for me. He pinged me saying "Do you know any reason that pfSense should be making ssh connections to all the hosts in my network?" He was fully ready to wipe the firewall and re-install.
Turned out that he had enabled Active Discovery because he was curious about it, promptly got busy with other things and forgot about it.
-
It is enumerating your network..
-
@johnpoz Thank you so much! This helped me to understand and pinpoint the actual configuration responsible for the ARP scan.
