Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System log files for the firewall

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      owner524
      last edited by

      hi all,

      im new to pfsense been using it for about 4 months now or more dont really know anyways i have a question it might be a dumb question i dont know but here it is  i looked at my log files on pfsense dashbroad an i found there is alot of WAN logs for  10.169.128.1:67    255.255.255.255:68 and i dont know what this is for and its all UDP  im just wondering what they are an should i be worried because my home server has been having alot of activing going on an i only see theses ip address's

      1 Reply Last reply Reply Quote 0
      • J
        josekym
        last edited by

        UDP 67-68 are used for DHCP/BOOTP communication.  Maybe your Internet connection is on "Dynamic IP" from your service provider?  If yes, and if pfSense connects to the Internet via your modem using PPPoE or Dynamic IP, then those logs would be natural.

        1 Reply Last reply Reply Quote 0
        • O
          owner524
          last edited by

          ok thanks..  now i have to see why my home server is upload 2 mbps all the time is there a way i could see ??

          1 Reply Last reply Reply Quote 0
          • O
            owner524
            last edited by

            disabled UPNP and the uploading stopped  so i dont know what it was doing

            1 Reply Last reply Reply Quote 0
            • J
              josekym
              last edited by

              Ah, you can check out which hosts behind your pfSense firewall is using how much bandwidth by clicking on "Status" and then "Traffic Graph".  Select the proper LAN interface you have on the pfSense and you will see the dynamically updated list of hosts accessing on that interface, with corresponding download and upload speeds per host.

              For UPNP, this helps computers behind the firewall to open ports automatically for communication to the Internet.  Some programs rely on this to work properly thru firewalls (i.e. Skype, BitTorrent, Online Games, etc.).

              1 Reply Last reply Reply Quote 0
              • C
                Clear-Pixel
                last edited by

                I'm on Charter cable modem service and I'm receiving the same private network address hits on my WAN. I called charter and asked, they had no idea what the private IP's were doing on there public network…. ::)

                They hit the firewall at random anywhere from 1 to 30 seconds...

                • Src-10.228.32.1:67  /Des -255.255.255.255:68 UDP

                • Src-10.229.219.1:67  /Des -255.255.255.255:68 UDP

                • Src-172.26.48.33:67  /Des -255.255.255.255:68 UDP

                The link light on the Cisco modem is amber when it really should be green, it hasn't interfered with my internet connection in any way.

                • Would it be best to continue blocking or should I let it pass?

                The small amount that I know about Pfsense and networking, my opinion is continue blocking, as it's not interfering with my connection or setup that I'm aware of :-\

                HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                Single Ethernet Port - VLAN
                Cisco SG300 10-port Gigabit Managed Switch
                Cisco DPC3008 Cable Modem  30/4 Mbps
                Pfsense 2.1-RELEASE (amd64)
                –------------------------------------------------------------
                Total Network Power Consumption - 29 Watts

                1 Reply Last reply Reply Quote 0
                • K
                  Klaws
                  last edited by

                  You probably see the DHCP messages for the other customers on the same cable. If you're curious, you might do a packet capture on these messages and look into the MAC addresses. If you are more than curious, you could try to set up a rogue DHCP server…

                  1 Reply Last reply Reply Quote 0
                  • C
                    Clear-Pixel
                    last edited by

                    I viewed the packet Captures and they appear to be BOOTP/DHCP ACK and Offers. This is the first time viewing packets at this level  :) ….. But thought packets would match the mac address of the cable modem .... None match. Is there something I'm missing? Is it maybe the DHCP offer was accepted when Pfsense/cable modem first booted and what I'm seeing are packets meant for other cable modems on there network  ???

                    I can post the packet captures if you like....

                    HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                    Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                    Single Ethernet Port - VLAN
                    Cisco SG300 10-port Gigabit Managed Switch
                    Cisco DPC3008 Cable Modem  30/4 Mbps
                    Pfsense 2.1-RELEASE (amd64)
                    –------------------------------------------------------------
                    Total Network Power Consumption - 29 Watts

                    1 Reply Last reply Reply Quote 0
                    • K
                      Klaws
                      last edited by

                      @Clear-Pixel:

                      Is it maybe the DHCP offer was accepted when Pfsense/cable modem first booted and what I'm seeing are packets meant for other cable modems on there network  ???

                      That's what I assume. Sometimes ISPs misconfigure their modems and you can see traffic which is meant for somebody else.

                      Ask your ISP about this issue; it might indicate a security flaw.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.