Unknown connection
-
Hi, can some one explain why my ISP IP trying to connect some local IP. Even do not have this local subnet. I always create a rule to avoid local subnets leave WAN. But this subnet not belong to my any home subnets. Please clarify this situation.
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@Antibiotic Could it be your ISP trying to connect to the modem to update firmware?
-
@provels I do not have any IPS modem or router. Cable going straight to house.
-
Who is (are) these :
Normally, you don't need to hide 'some random IP' addresses.
Or did you hide your WAN IP ?
And is it a RFC1918 IP, or not ?And what does this mean :
is this you (using pfBlockerng ?) that is filtering on your WAN ? ?
Why ? Why not let them just hit the 'wall' and discard all the noise coming from the Internet ?Do you have a NAT rule that uses your LAN device 192.168.0.100 (UDP) ?
What do you have connected to your WAN of pfSense, a modem ? (ISP) Router ?
-
@Gertjan said in Unknown connection:
s this you (using pfBlockerng ?) that is filtering on your WAN ? ?
Why ? Why not let them just hit the 'wall' and discard all the noise coming from the Internet ?Yes, using pfblockerNG, sorry not clear what do you want to tell.
-
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@Gertjan said in Unknown connection:
Do you have a NAT rule that uses your LAN device 192.168.0.100 (UDP) ?
I even do not have this subnet, have 192.168.10.0/24 subnet
For avoiding questions, have WIFI router connected to switch but working in AP mode. pfSesne LAN going to switch than the rest home network connected over this switch. Do not use VLAN's -
@Gertjan said in Unknown connection:
What do you have connected to your WAN of pfSense, a modem ? (ISP) Router ?
Just cable without any router or modem
-
@Gertjan said in Unknown connection:
is this you (using pfBlockerng ?) that is filtering on your WAN ? ?
This is block floating rule to avoid local subnets going over WAN. Please see my posted rule above.
-
@Gertjan Again the same story, only different local ip
not my subnet -
@Antibiotic said in Unknown connection:
Yes, its my wan ip
Humm, then I don't really understand why this RFC1918 has been triggered.
You have this one activated one WAN ? :
Its not really needed. (it can fill up the firewall log ... that's for sure - as you've figured out )
remove that option, let them hit the default WAN interface behavior - "black hole them all and don't even log them".@Antibiotic said in Unknown connection:
@Gertjan said in Unknown connection:
Do you have a NAT rule that uses your LAN device 192.168.0.100 (UDP) ?
I even do not have this subnet, have 192.168.10.0/24 subnet
For avoiding questions, have WIFI router connected to switch but working in AP mode. pfSesne LAN going to switch than the rest home network connected over this switch. Do not use VLAN'sThen I'm pretty confident that these lines are just 'bots' or whatever trying out all kind of ports ...
Still, on the "Internet" (the real Internet) there can't be any packets with "RFC1918" coming to you as these can't be routed over the Internet. Your ISP can't send you these.
Which means (IMHO) that your WAN cable isn't the "real" internet but more a LAN coming from "some one else".
And then RFC1918 is possible.
But, ate the end, you don't have to worry about it, an empty pfSense WAN firewall list will block everything anything. RFC1918, or not. -
@Antibiotic somthing simliar happens with my ISP, I got a fiber cable straight to the router WAN interface. ICMP from different 10.* addresses (from the same for a few hours or days, then from another), every 5 seconds.
Been in contact with the ISP for a few weeks and they don't know where it is from, they told me must be from my network. I'm pretty sure it's not. None of my networks are even close to any of this ranges.
I can't find it in the routers ARP table.
Your best chance is to contact your ISP.
-
@Gertjan said in Unknown connection:
Which means (IMHO) that your WAN cable isn't the "real" internet but more a LAN coming from "some one else".
What do you MEAN, CAN YOU PLEASE EXPLAIN MORE?
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@patient0 said in Unknown connection:
Your best chance is to contact your ISP.
Is it possible, someone illegal connected to my cable out of my flat?
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@Antibiotic said in Unknown connection:
AN YOU PLEASE EXPLAIN MORE?
My idea of an "Internet connection" is what most of us (99 % or more) use : an ISP kind of company that brings a 4G/5G carrier, a coax cable, a phone line using ADSL or VDSL, or, more and more common today : a fiber cable into your premises.
On this connection, you can not (ideally) and should not find any RFC1918 traffic : packets with a source or destination containing(10/8, 172.16/12, 192.168/16) and unique local addresses per RFC 4193 (fc00::/7) as well as loopback addresses (127/8)
But, the world isn't that perfect, and, for example, its common that coax cable users found RFC1918 traffic on their WAN interface.
Because the "coax ISP" bundles all the coax cables (== your WAN, the WAN of the neighbor etc) together and treats it as a ... well .. a LAN.
The devices sued by these coax ISPs are just modems : the convert 'LAN' traffic to 'coax' traffic and back without much of distinction between packets. After all, its a dumb modem, not a router (with firewall) so you can see the some of the (broadcast) traffic of your neighbors as well.This :
@patient0 said in Unknown connection:
somthing simliar happens with my ISP, I got a fiber cable straight to the router WAN interface. ICMP from different 10.* addresses (from the same for a few hours or days, then from another), every 5 seconds.
Shouldn't be possible neither.
But hey, it's known by now, ISP aren't always perfect ^^@Antibiotic said in Unknown connection:
Is it possible, someone illegal connected to my cable out of my flat?
Sees a good connection to me.
But, IMHO, such a connection isn't very common.
Who is on the other side of the cable ? Can't be far, as Ether can run for 130 m. max.Bottom line : don't worry - and I'm serious.
You use a pfSense. You're good.
No traffic (that you don't want to) can come into WAN, whatever the source is. So, RFC1918, or something else, you don't care.
Just don't log whatever happens on your firewall WAN interface. Silence it.
Apply the stupid but golden rule : what you can't see, doesn't exist.
Of course 'non solicited traffic' will hit your WAN. That's as normal as 'the sun comes up in the morning'. -
@Antibiotic said in Unknown connection:
Is it possible, someone illegal connected to my cable out of my flat?
Seems very unlikely to me. How does your ISP make sure that only a legit customer can use their service? In my case it's the MAC address of the WAN, and it's fiber in my case. Not easy to connect to. But again your ISP could check if multiple WAN clients are connecting through that line.
I had another issue some time ago and they told me they don't have measures to prevent RFC1918 traffic on their network.
So I guess it's more incompetence of the ISP.
-
@Antibiotic said in Unknown connection:
flat
So you are in a multi-tenant building? Explains why you have no ISP kit.
If I had to guess, your kit is behind common infrastructure for the entire building and not directly on the public internet, thus you are not getting a public IP address assigned to your pfSense firewall.
The scans are likely coming from that common infrastructure as part of vulnerability detection and to detect who is hosting services from their flat that may be against terms of service (ToS). Or possibly other tenants looking for vulnerabilities.
Use the following link to determine what the real public IP address is. https://ping.eu
If that does not match the IP address assigned to your firewall, then you are not directly on the public internet.
-
@Gertjan said in Unknown connection:
You use a pfSense. You're good.
No traffic (that you don't want to) can come into WAN, whatever the source is. So, RFC1918, or something else, you don't care.Yea, I'm in love with pfSense, are you?
