How can I see who is connected?

Mr. Jingles

G'day all  ;D

Could I ask a simple question: how can I see who is connected at any given time, and in real time, both from within the LAN and from the outside? Preferably from the GUI as I am a noob in these matters ( :-[). I am asking this, because for apparently no reason sometimes my NAS-ses, that are in power save mode when all computers are shut down, boot up. That shouldn't be the case, so I was wondering if there is a way to see who is connected?

Thank you in advance for your answer  ;),

Bye,

stan-qaz

Maybe pfTop on the diagnostics menu?  https://pfsense/diag_system_pftop.php

Mr. Jingles

@stan-qaz:

Maybe pfTop on the diagnostics menu?  https://pfsense/diag_system_pftop.php

Thank you for your reply, Stan  ;D

The thing is, I am probably way too noob for this to understand the list shown there: I see lots of IP-adresses, but I don't know how to make sense of that. I mean, there is LAN-IP's connected to external sites, external sites sending information back: in the SRC column there are (mostly) LAN-IP's (but some of my external VDSL-IP too), in the DEST column are the PFsense LAN-IP, a lot of 127.0.0.1, and a lot of external IP's. So how do I tell if a non-invited guest has connected? Would that be the case if SRC contains anything different than my own LAN's and my external VDSL-ip-address? Or should I look for anything else?

Thank you for your reply & bye  :P

stan-qaz

I don't have any idea how you could figure out every connection there without a lot of work. I was hoping to find a really great answer here this morning from someone with more pfSense skills than I have.

For the original issue with your NAS devices I'd sort by destination-host, look for the NAS devices IP and see what IP it is connected to then look that up and see who it is.

If the pftop isn't helping you might want to look at the state tables too, they might give you a longer term view of what is happening on your network. Resetting the states as the last thing before you shut down your computers for the night should clear out most of the stuff you are not interested in making the NAS related things easier to find.

https://pfsense/diag_dump_states.php

https://pfsense/diag_states_summary.php

Looking at my LAN I see that my NAS (WD Live Drive) is awake but only a single entry on the summary page for my NAS "172.16.1.20 -> 172.16.3.255" (my broadcast address) which seems a bit strange since I haven't been using it. This has gotten me curious and doing a bit more thinking, maybe adding a couple rules to the firewall to log packets to and from the NAS would give me some information on external connections to/from it but wouldn't help with internal stuff.

Still hoping for an expert's suggestions.

–--

Since I mentioned the WD Live Drive I want to add read the manuals and WD site carefully before you buy one, it has many limitations and frustrations you might be happier avoiding. I wish I had!

tamtap

Short answer is no there isn't.

It would be a great feature though.

jimp

The ARP table shows hosts currently talking to/through the firewall (Diag > ARP). It's not 100% accurate for everyone who is online/connected though because it can only show you things that are actively talking to/through the firewall. If the NAS talks only to local PCs on its subnet and isn't making any outbound queries, it could be online and working and just not appear online to the firewall because the firewall doesn't see any of its traffic.

You could use NMAP to do an ARP scan of the segment and it would give you a fairly definitive list of MAC addresses that are live on the network at that time since it can actively scan for them.

• Install the NMAP Package
• Diag > NMAP
• IP/Host: Your subnet to scan, e.g. 192.168.77.0/24  (specify it using IP/CIDR notation!)
• Interface: LAN (you must choose an interface specifically, so LAN, DMZ, whatever you're trying to scan.
• Scan Method: ARP
• Click SCAN
• Wait for it to finish, look over the results.

Mr. Jingles

@jimp:

The ARP table shows hosts currently talking to/through the firewall (Diag > ARP). It's not 100% accurate for everyone who is online/connected though because it can only show you things that are actively talking to/through the firewall. If the NAS talks only to local PCs on its subnet and isn't making any outbound queries, it could be online and working and just not appear online to the firewall because the firewall doesn't see any of its traffic.

You could use NMAP to do an ARP scan of the segment and it would give you a fairly definitive list of MAC addresses that are live on the network at that time since it can actively scan for them.

• Install the NMAP Package
• Diag > NMAP
• IP/Host: Your subnet to scan, e.g. 192.168.77.0/24  (specify it using IP/CIDR notation!)
• Interface: LAN (you must choose an interface specifically, so LAN, DMZ, whatever you're trying to scan.
• Scan Method: ARP
• Click SCAN
• Wait for it to finish, look over the results.

Thank you very much, JimP  ;D

On another note, I was thinking: on a lot of forum software, there is this plugin that lets people say 'thanks' for a post by clicking a button. Would that be an idea to add to this forum also? As it would reduce the number of posts (when you look at 'show unread posts since last visit' you would also see posts like mine, just saying 'thank you', which perhaps not everybody would be interested in).

Just an idea, sir  ;D

jimp

We've discussed that and want to add it, but we need to get moved to SMF 2.x first. That has been a challenge to get done (we tried once and had to back it out, even after getting it to work on a test clone of the forum).

Once we're on there, a few other things will be enabled like that. That's a topic for a different thread, though. :-)