Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do you capture Subnetwork packets in Pfsense ?

    Scheduled Pinned Locked Moved Wireless
    3 Posts 3 Posters 956 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user5901
      last edited by

      Hello ,

      I have a pfSense installed as a Router in my local network  & am able to trace all the ip passing through LAN or wlan in my local network. but how can i trace the traffic of subnets under my local network. ?

      Architecture :- Let me explain my architecture to you, I have a local network of 192.168.1.0/24 and I can monitor all the LAN/WLAN traffic of this network. Now Let us suppose if a user with ip 192.168.1.10 makes a hotspot/wifi using his system and creates a subnetwork of 10.10.2.0/24 range. So,will I be able to detect the traffic/Packets of this subnetwork which is created by making hotspots. ?

      Thanks in Advance

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        @user5901:

        Now Let us suppose if a user with ip 192.168.1.10 makes a hotspot/wifi using his system and creates a subnetwork of 10.10.2.0/24 range. So,will I be able to detect the traffic/Packets of this subnetwork which is created by making hotspots. ?

        In that circumstance the 10.10.2 won't be visible beyond that client itself, as it'll NAT everything to 192.168.1.10. On your network, it looks like a single device.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Are you asking how to detect downstream NATs that are using multiple clients?  Normally this is done by looking at the TTL of the traffic coming from the hosts..  Since any nat routers, even pfsense normally removes 1 from the TTL value.

          So windows for example normally sends packets with TTL of 128, if your seeing packets at pfsense with TTL of 127, then that packet went through a router(hop) that did or did not do nat..  You could do this automatically with switch before pfsense sending sflow to some sort of analyzer that was looking for this and logging/alerting on it.

          You could also use some form of OS fingerprinting on the traffic and looking at other details in the traffic look for something that points to different OSes being used from the same IP at the same time.  Since it is possible to configure your router not to decrement the TTL if your trying to hide your NAT…  Have done this back in the day when some ISPs where saying you could only have 1 device connected, etc..

          Do a simple google for nat discovery/detection

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.