Strange Lan blocks destined for a Google IP Address



  • I'm getting some packets being blocked which are going off to a Google IP address 74.125.4.8:80 but I dont recognise the interface its coming from reported in the system log.

    What I have in my system log, firewall tab is number of these entries:
    Mar 14 20:20:30 lo0 192.168.1.102:53007 74.125.4.8:80 TCP:RA

    I dont recognise the interface lo0 I only have WAN (msk0) & LAN(re1), but I am running the snort package so is this how Snort appears in the system log when the option "Send alerts to main System logs" is ticked on an interface?

    Any ideas why Google would be generating a snort alert or best to ask this question elsewhere?

    TIA





  • That was quick. Thanks for the link I'll keep an eye on this because when this happens I lose all net access so to eliminate the old router as a possible problem I've just plugged in a different router and will see how that goes for the next few days as well.



  • These were outgoing connections not incoming connections, would this link http://doc.pfsense.org/index.php/Logs_show_"blocked"_for_traffic_from_a_legitimate_connection,_why%3F still apply as its not incoming?



  • Yes.

    That has no relation to losing Internet connectivity.



  • lo0 is the loopback interface.  Maybe your Squid is using it?



  • I only have Snort installed at the moment to log but not block anything, no squid installed unless its installed by default as part of the pfsense 2.0.2 install somewhere.

    I thought the pc which had been running pfsense was acting up as it was running on a 5-6yr old dell desktop with a couple of nics in, so I got a new cheap pc stuck two nics in it the WAN nic happens to be new, downloaded the AMD 2.0.2 ISO yesterday and installed pf on this new pc.

    Anyway after posting yesterday the net access went down again, so I logged into pf and found the DHCP assigned WAN IP address was resetting back to 0.0.0.0. So I swapped the old netgear dg834 router last night with a new one provided by the ISP which I have never used. All seems ok once I get them working, this morning I find the same problem, the DHCP assigned Wan IP had reset back to 0.0.0.0.

    So two firewalls and two routers and still losing the router dhcp assigned IP address.
    Is it possible one of the other pc's connected direct to the router could be interfering with the DHCP of the two different routers?

    This is one of the states from this morning when the wan ip is 0.0.0.0
    State
    icmp 192.168.1.65:52567 -> 192.168.1.254 0:0

    I spotted this in the router log during the bootup, the IP address is Chinese but I have no connection to china or visited any chinese website, I cant read manderin.
    INF 2013-03-15T09:26:41Z fw,fwmon src=60.173.8.163 dst=81.136.193.23 ipprot=6 sport=6000 dport=8080 Unknown inbound session stopped

    This is the pf system log where it looks like its asking for an IP address.
    Mar 15 08:49:01 dhclient[48232]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:59 dhclient[48232]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:58 dhclient[48232]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:57 dhclient[48232]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:57 dhclient: PREINIT
    Mar 15 08:48:57 php: : HOTPLUG: Configuring interface wan
    Mar 15 08:48:57 php: : DEVD Ethernet attached event for wan
    Mar 15 08:48:55 php: : The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf msk0 > /tmp/msk0_output > /tmp/msk0_error_output' returned exit code '15', the output was ''
    Mar 15 08:48:55 dhclient[27814]: exiting.
    Mar 15 08:48:55 dhclient[27814]: exiting.
    Mar 15 08:48:55 dhclient[27814]: connection closed
    Mar 15 08:48:55 dhclient[27814]: connection closed
    Mar 15 08:48:55 php: : DEVD Ethernet detached event for wan
    Mar 15 08:48:55 kernel: msk0: link state changed to UP
    Mar 15 08:48:55 check_reload_status: Linkup starting msk0
    Mar 15 08:48:55 dhclient[27686]: DHCPDISCOVER on msk0 to 255.255.255.255 port 67 interval 1
    Mar 15 08:48:53 check_reload_status: Linkup starting msk0
    Mar 15 08:48:53 kernel: msk0: link state changed to DOWN
    Mar 15 08:48:53 kernel: msk0: watchdog timeout
    Mar 15 08:48:49 dhclient[27686]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:46 dhclient[27686]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:44 dhclient[27686]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:44 dhclient: PREINIT
    Mar 15 08:48:44 php: : HOTPLUG: Configuring interface wan
    Mar 15 08:48:44 php: : DEVD Ethernet attached event for wan
    Mar 15 08:48:42 php: : The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf msk0 > /tmp/msk0_output > /tmp/msk0_error_output' returned exit code '15', the output was ''
    Mar 15 08:48:42 dhclient[24468]: exiting.
    Mar 15 08:48:42 dhclient[24468]: exiting.
    Mar 15 08:48:42 dhclient[24468]: connection closed
    Mar 15 08:48:42 dhclient[24468]: connection closed
    Mar 15 08:48:42 php: : DEVD Ethernet detached event for wan
    Mar 15 08:48:42 kernel: msk0: link state changed to UP
    Mar 15 08:48:42 check_reload_status: Linkup starting msk0
    Mar 15 08:48:41 dhclient[24162]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:40 check_reload_status: Linkup starting msk0
    Mar 15 08:48:40 kernel: msk0: link state changed to DOWN
    Mar 15 08:48:40 kernel: msk0: watchdog timeout
    Mar 15 08:48:36 dhclient[24162]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:34 dhclient[24162]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:33 dhclient[24162]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:33 dhclient: PREINIT
    Mar 15 08:48:33 php: : HOTPLUG: Configuring interface wan
    Mar 15 08:48:33 php: : DEVD Ethernet attached event for wan
    Mar 15 08:48:31 php: : The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf msk0 > /tmp/msk0_output > /tmp/msk0_error_output' returned exit code '15', the output was ''
    Mar 15 08:48:31 dhclient[21540]: exiting.
    Mar 15 08:48:31 dhclient[21540]: exiting.
    Mar 15 08:48:31 dhclient[21540]: connection closed
    Mar 15 08:48:31 dhclient[21540]: connection closed
    Mar 15 08:48:31 php: : DEVD Ethernet detached event for wan
    Mar 15 08:48:31 kernel: msk0: link state changed to UP
    Mar 15 08:48:31 check_reload_status: Linkup starting msk0
    Mar 15 08:48:30 dhclient[21393]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:29 check_reload_status: Linkup starting msk0
    Mar 15 08:48:29 kernel: msk0: link state changed to DOWN
    Mar 15 08:48:29 kernel: msk0: watchdog timeout
    Mar 15 08:48:25 dhclient[21393]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:23 dhclient[21393]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:23 dhclient: PREINIT
    Mar 15 08:48:23 php: : HOTPLUG: Configuring interface wan
    Mar 15 08:48:23 php: : DEVD Ethernet attached event for wan
    Mar 15 08:48:21 php: : The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf msk0 > /tmp/msk0_output > /tmp/msk0_error_output' returned exit code '15', the output was ''
    Mar 15 08:48:21 dhclient[18990]: exiting.
    Mar 15 08:48:21 dhclient[18990]: exiting.
    Mar 15 08:48:21 dhclient[18990]: connection closed
    Mar 15 08:48:21 dhclient[18990]: connection closed
    Mar 15 08:48:21 php: : DEVD Ethernet detached event for wan
    Mar 15 08:48:21 kernel: msk0: link state changed to UP
    Mar 15 08:48:21 check_reload_status: Linkup starting msk0
    Mar 15 08:48:20 dhclient[18988]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:19 check_reload_status: Linkup starting msk0
    Mar 15 08:48:19 kernel: msk0: link state changed to DOWN
    Mar 15 08:48:19 kernel: msk0: watchdog timeout
    Mar 15 08:48:15 dhclient[18988]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:13 dhclient[18988]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:11 dhclient[18988]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:48:11 dhclient: PREINIT
    Mar 15 08:48:11 php: : HOTPLUG: Configuring interface wan
    Mar 15 08:48:11 php: : DEVD Ethernet attached event for wan
    Mar 15 08:48:09 php: : The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf msk0 > /tmp/msk0_output > /tmp/msk0_error_output' returned exit code '15', the output was ''
    Mar 15 08:48:09 dhclient[13979]: exiting.
    Mar 15 08:48:09 dhclient[13979]: exiting.
    Mar 15 08:48:09 dhclient[13979]: connection closed
    Mar 15 08:48:09 dhclient[13979]: connection closed
    Mar 15 08:48:09 php: : DEVD Ethernet detached event for wan
    Mar 15 08:48:09 kernel: msk0: link state changed to UP
    Mar 15 08:48:09 check_reload_status: Linkup starting msk0
    Mar 15 08:48:07 check_reload_status: Linkup starting msk0
    Mar 15 08:48:07 kernel: msk0: link state changed to DOWN
    Mar 15 08:48:07 kernel: msk0: watchdog timeout
    Mar 15 08:48:03 dhclient[13755]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:47:59 dhclient[13755]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:47:57 dhclient[13755]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:47:55 dhclient[13755]: DHCPREQUEST on msk0 to 255.255.255.255 port 67
    Mar 15 08:47:55 dhclient: PREINIT
    Mar 15 08:47:55 php: : HOTPLUG: Configuring interface wan
    Mar 15 08:47:55 php: : DEVD Ethernet attached event for wan
    Mar 15 08:47:53 php: : The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf msk0 > /tmp/msk0_output > /tmp/msk0_error_output' returned exit code '15', the output was ''
    Mar 15 08:47:53 dhclient[51387]: exiting.
    Mar 15 08:47:53 dhclient[51387]: exiting.
    Mar 15 08:47:53 dhclient[51387]: connection closed

    Anything else I can do to check/stop the wan ip address from resetting back to 0.0.0.0 or anything else to check out?

    TIA



  • My ISP has given me a new block of ip addresses to isolate the computers connected to the router by giving them each a different public ip address which should put them all onto a different network but still going through one common gateway.

    I'm going to use the old firewall to monitor the connections from the other pc's connected direct to the router to see if one of them might have something on it which can interfere with the two routers handing out dhcp ip addresses as this seems to be the stumbling block.


Log in to reply