Strange Promiscuous Mode Disabled…then Enabled...



  • Hello,

    We have PFSense 1.2. In the system diagnostics tab, I see the following. This appears to be random, but not sure. I see that promiscuous mode always disables first and then enables. By the way, I am not running any tools that would be causing this. We are connected via IPSec VPN to another location. That location is serving up DHCP to this location. I don't see why that would cause this? I just started seeing this popup lately (unless I didn't notice it before). Is this pfsense itself or definitely another machine requesting? If it is another machine, how would I identify it? I want to make sure that there isn't a compromised machine on the network. I'm trying to look for patterns, but not seeing any so far…

    Dec 29 23:56:16 kernel: pflog0: promiscuous mode enabled
    Dec 29 23:56:16 kernel: pflog0: promiscuous mode disabled

    Dec 29 22:37:21 kernel: pflog0: promiscuous mode enabled
    Dec 29 22:37:21 kernel: pflog0: promiscuous mode disabled

    I'm also seeing this fairly frequently...

    Dec 29 23:36:46 syslogd: kernel boot file is /boot/kernel/kernel
    Dec 29 23:36:46 syslogd: exiting on signal 15

    I see this link (But I'm not using tcpdump or any other utilities that should cause this)...
    http://doc.pfsense.org/index.php/What_are_"promiscuous_mode_enabled"_log_messages%3F

    I also just discovered something really interesting - When I click on "System" and then "General Setup"...I don't even need to make changes to anything. Then, I immediately click on "Status" and then "System Logs", every time it generates:

    Dec 30 02:23:56 kernel: pflog0: promiscuous mode enabled
    Dec 30 02:23:56 kernel: pflog0: promiscuous mode disabled

    Thanks!



  • That's 1.2, not 1.2.3? Upgrade.

    Something is causing logging to be restarted, that's what causes both of those logs. Not sure what, but could be any number of 1.2 issues that have long since been fixed.



  • I've had the same issue. In my case this happens whenever I'm on the Traffic Graph (with rate package on wan) page. Closing the tool stops the messages. :)



  • @sot010174:

    I've had the same issue. In my case this happens whenever I'm on the Traffic Graph (with rate package on wan) page. Closing the tool stops the messages. :)

    that's normal expected behavior with the rate package. rate in 2.0 has been patched to not go into promiscuous mode (doesn't need to in a firewall scenario) so you don't see that there.


Log in to reply