UDP/40000 broadcasts from pfSense



  • Hi,

    I have occasionally discovered (by inspecting the firewall log) that pfSense happens to emit LAN broadcasts at UDP port 40000 and broadcast address as x.x.x.255.

    What it may be about? Anything useful? Anything to be better disabled?



  • It doesn't emit them, it's just blocking and logging them. Something else on your network is sending them out. Packet capture on LAN filtered on port 40000 left running long enough to grab them will show you the actual source MAC address so you can track down the source.



  • Wow :o

    Unfortunately this strange record was already out of log after my switching to raw log view… I'll have to keep an eye on this phenomenon...

    Do you mean it might be a broadcast with fake source IP address?



  • Oh it actually does have the firewall's source IP? Only way that would be possible is if you have some kind of weird rdr (port forward) and/or outbound NAT setup, causing it to forward that traffic from somewhere else.



  • Yes, it had the pfSense router address as source…  :o

    Well, I'll keep an eye on it and post here if I have some new info...


Locked