Firewall Log Shows My WAN IP keeps changing, AND I am on a STATIC IP



  • Please excuse my ignorance, I have a business account and static IP from my ISP because I have a web server running in my house as well as a mail server. The firewall logs show that my WAN ip changes very frequently. The log is pasted below and the IP's that trouble me are annotated in the log. These other IP's are also from my ISP and located in my same town. My static IP is 24.113.x.xxx.

    HOWEVER, is it possible that I am the victim of a man in the middle attack and all OUTBOUND TRAFFIC is passing through these other IP's?  Tracert shows nothing unusual. The log below does not even list my IP address. I'm certain the experts here have an easy answer for this.

    Any help is greatly appreciated. Thank-you for reading this.

    Last 50 firewall log entries
    @@@@@@@@May 29 01:09:48 pf: Your-IP 24.113.239.59 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    May 29 01:09:48 pf: Gateway-IP 10.90.224.1
    May 29 01:09:48 pf: Client-Ethernet-Address 20:aa:4b:ae:4c:29 [|bootp]
    May 29 01:09:49 pf: 00:00:00.962227 rule 18/0(match): block in on dc0: (tos 0x0, ttl 255, id 45918, offset 0, flags [none], proto UDP (17), length 386)
    May 29 01:09:49 pf: 10.5.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 358, xid 0x1f32d95e, Flags [Broadcast]
    May 29 01:09:49 pf: Your-IP 10.5.1.137
    May 29 01:09:49 pf: Server-IP 172.17.17.2
    May 29 01:09:49 pf: Gateway-IP 10.5.0.1
    May 29 01:09:49 pf: Client-Ethernet-Address 00:1a:66:93:cd:1c
    May 29 01:09:49 pf: sname "prov-1.wavemta.net"
    May 29 01:09:49 pf: file "^1/90BEAFA7/HS10/RES" [|bootp]
    May 29 01:09:51 pf: 00:00:02.006949 rule 18/0(match): block in on dc0: (tos 0x0, ttl 255, id 45937, offset 0, flags [none], proto UDP (17), length 386)
    May 29 01:09:51 pf: 10.5.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 358, xid 0x1f32d95e, Flags [Broadcast]
    May 29 01:09:51 pf: Your-IP 10.5.1.137
    May 29 01:09:51 pf: Server-IP 172.17.17.2
    May 29 01:09:51 pf: Gateway-IP 10.5.0.1
    May 29 01:09:51 pf: Client-Ethernet-Address 00:1a:66:93:cd:1c
    May 29 01:09:51 pf: sname "prov-1.wavemta.net"
    May 29 01:09:51 pf: file "^1/90BEAFA7/HS10/RES" [|bootp]
    May 29 01:09:56 pf: 00:00:04.702810 rule 18/0(match): block in on dc0: (tos 0x0, ttl 255, id 45970, offset 0, flags [none], proto UDP (17), length 337)
    May 29 01:09:56 pf: 10.5.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 309, xid 0x771864a0, Flags [Broadcast]
    @@@@@@@@May 29 01:09:56 pf: Your-IP 24.113.133.24 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    May 29 01:09:56 pf: Gateway-IP 10.90.224.1
    May 29 01:09:56 pf: Client-Ethernet-Address 64:31:50:38:03:b6 [|bootp]
    May 29 01:10:01 pf: 00:00:04.683769 rule 18/0(match): block in on dc0: (tos 0x0, ttl 255, id 46012, offset 0, flags [none], proto UDP (17), length 337)
    May 29 01:10:01 pf: 10.5.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 309, xid 0x4377cc7f, Flags [Broadcast]
    @@@@@@@@May 29 01:10:01 pf: Your-IP 24.113.236.136 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    May 29 01:10:01 pf: Gateway-IP 10.90.224.1
    May 29 01:10:01 pf: Client-Ethernet-Address 58:6d:8f💿07:c2 [|bootp]
    May 29 01:10:01 pf: 00:00:00.053874 rule 18/0(match): block in on dc0: (tos 0x0, ttl 255, id 46017, offset 0, flags [none], proto UDP (17), length 337)
    May 29 01:10:01 pf: 10.5.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 309, xid 0x4377cc7f, Flags [Broadcast]
    @@@@@@@@May 29 01:10:01 pf: Your-IP 24.113.236.136 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    May 29 01:10:01 pf: Gateway-IP 10.90.224.1
    May 29 01:10:01 pf: Client-Ethernet-Address 58:6d:8f💿07:c2 [|bootp]
    May 29 01:10:04 pf: 00:00:03.549033 rule 18/0(match): block in on dc0: (tos 0x0, ttl 255, id 46043, offset 0, flags [none], proto UDP (17), length 386)
    May 29 01:10:04 pf: 10.5.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 358, xid 0x6f92aa93, Flags [Broadcast]
    May 29 01:10:04 pf: Your-IP 10.5.48.93
    May 29 01:10:04 pf: Server-IP 172.17.17.2
    May 29 01:10:04 pf: Gateway-IP 10.5.0.1
    May 29 01:10:04 pf: Client-Ethernet-Address 00:23:74:54:9d:2a
    May 29 01:10:04 pf: sname "prov-1.wavemta.net"
    May 29 01:10:04 pf: file "^1/ECF293EA/HS10/RES" [|bootp]
    May 29 01:10:06 pf: 00:00:02.008507 rule 18/0(match): block in on dc0: (tos 0x0, ttl 255, id 46066, offset 0, flags [none], proto UDP (17), length 386)
    May 29 01:10:06 pf: 10.5.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 358, xid 0x6f92aa93, Flags [Broadcast]
    May 29 01:10:06 pf: Your-IP 10.5.48.93
    May 29 01:10:06 pf: Server-IP 172.17.17.2
    May 29 01:10:06 pf: Gateway-IP 10.5.0.1
    May 29 01:10:06 pf: Client-Ethernet-Address 00:23:74:54:9d:2a
    May 29 01:10:06 pf: sname "prov-1.wavemta.net"
    May 29 01:10:06 pf: file "^1/ECF293EA/HS10/RES" [|bootp] ???


  • Rebel Alliance Developer Netgate

    That log isn't saying what you think it's saying  :)

    Those are all firewall log messages showing BLOCKED packets, which are DHCP requests from/to others on your WAN segment. That's a common thing to see on Cable networks. They aren't affecting your firewall in any way, aside from spamming your logs.

    If your IP was changing, that would be reflected in the main system log, not the firewall log.



  • Thank-You very much Jimp for the very prompt reply. You relieved a lot of stress. Briefly I built a server and mail system mostly for my children on the East Coast and I was using a WRT54G router with DD-WRT and a pgm called WallWatcher to monitor port probes and the like. Someone turned me on to pfSense and I am just starting to learn this stuff for an old man in my mid 60's.
        Again, thanks an awful lot for the help.


Locked