Firewall log



  • Hoi guys,
    today i've checked my firewall log and notices this IP repeating the access to the firewall ! ( please find the attached )
    i dont have really this Subnet on my network, all my subnets are Class C !
    any suggestions what it could be ? it keep trying to connect every sec, i beleive someone is running some kind of script !




  • 224.0.0.0/4 is IPv4 Multicast address space - http://en.wikipedia.org/wiki/Reserved_IP_addresses
    Is that source address actually in one of your subnets? If not, then someone has a device with a static IP set and they have connected it.
    What physical network do you have, that the traffic is being seen on LAN and WAN?



  • @phil.davis:

    224.0.0.0/4 is IPv4 Multicast address space - http://en.wikipedia.org/wiki/Reserved_IP_addresses
    Is that source address actually in one of your subnets? If not, then someone has a device with a static IP set and they have connected it.
    What physical network do you have, that the traffic is being seen on LAN and WAN?

    hi Phil,
    i dont have any device using this IP all my subnets are Class C
    Pfsense is Virtual not Physical and using 3 NICS.
    all traffic goes from WAN to LAN and the otherway arround !
    i tried to ping that IP internaly but can't seem to reply.

    Maybe is a ISP broadcasting to the PFSENSE?



  • Maybe is a ISP broadcasting to the PFSENSE?

    That is quite usual - I see all sorts of rubbish on private IPs from my ISP on the WAN side. I put rules like the attached at the end of my ruleset on WAN to block and not log incoming multicast or packets with private IP source addresses. Then I just don't see all that crud on the ISPs "internal" network.
    But I don't understand how you see that on LAN also.




  • @phil.davis:

    Maybe is a ISP broadcasting to the PFSENSE?

    That is quite usual - I see all sorts of rubbish on private IPs from my ISP on the WAN side. I put rules like the attached at the end of my ruleset on WAN to block and not log incoming multicast or packets with private IP source addresses. Then I just don't see all that crud on the ISPs "internal" network.
    But I don't understand how you see that on LAN also.

    maybe this rabish because the ISP gateway is the WAN of the Pfsense, and Pfsense is Virtual ?