System log files for the firewall



  • hi all,

    im new to pfsense been using it for about 4 months now or more dont really know anyways i have a question it might be a dumb question i dont know but here it is  i looked at my log files on pfsense dashbroad an i found there is alot of WAN logs for  10.169.128.1:67    255.255.255.255:68 and i dont know what this is for and its all UDP  im just wondering what they are an should i be worried because my home server has been having alot of activing going on an i only see theses ip address's



  • UDP 67-68 are used for DHCP/BOOTP communication.  Maybe your Internet connection is on "Dynamic IP" from your service provider?  If yes, and if pfSense connects to the Internet via your modem using PPPoE or Dynamic IP, then those logs would be natural.



  • ok thanks..  now i have to see why my home server is upload 2 mbps all the time is there a way i could see ??



  • disabled UPNP and the uploading stopped  so i dont know what it was doing



  • Ah, you can check out which hosts behind your pfSense firewall is using how much bandwidth by clicking on "Status" and then "Traffic Graph".  Select the proper LAN interface you have on the pfSense and you will see the dynamically updated list of hosts accessing on that interface, with corresponding download and upload speeds per host.

    For UPNP, this helps computers behind the firewall to open ports automatically for communication to the Internet.  Some programs rely on this to work properly thru firewalls (i.e. Skype, BitTorrent, Online Games, etc.).



  • I'm on Charter cable modem service and I'm receiving the same private network address hits on my WAN. I called charter and asked, they had no idea what the private IP's were doing on there public network…. ::)

    They hit the firewall at random anywhere from 1 to 30 seconds...

    • Src-10.228.32.1:67  /Des -255.255.255.255:68 UDP

    • Src-10.229.219.1:67  /Des -255.255.255.255:68 UDP

    • Src-172.26.48.33:67  /Des -255.255.255.255:68 UDP

    The link light on the Cisco modem is amber when it really should be green, it hasn't interfered with my internet connection in any way.

    • Would it be best to continue blocking or should I let it pass?

    The small amount that I know about Pfsense and networking, my opinion is continue blocking, as it's not interfering with my connection or setup that I'm aware of :-\



  • You probably see the DHCP messages for the other customers on the same cable. If you're curious, you might do a packet capture on these messages and look into the MAC addresses. If you are more than curious, you could try to set up a rogue DHCP server…



  • I viewed the packet Captures and they appear to be BOOTP/DHCP ACK and Offers. This is the first time viewing packets at this level  :) ….. But thought packets would match the mac address of the cable modem .... None match. Is there something I'm missing? Is it maybe the DHCP offer was accepted when Pfsense/cable modem first booted and what I'm seeing are packets meant for other cable modems on there network  ???

    I can post the packet captures if you like....



  • @Clear-Pixel:

    Is it maybe the DHCP offer was accepted when Pfsense/cable modem first booted and what I'm seeing are packets meant for other cable modems on there network  ???

    That's what I assume. Sometimes ISPs misconfigure their modems and you can see traffic which is meant for somebody else.

    Ask your ISP about this issue; it might indicate a security flaw.


Log in to reply