PfSense wan (em1) constantly pinging my modem. Anyone knows Why?

  • Hi,

    I was looking at my suricata alerts and with in the last days.  It was not always like this pfSense Wan interface (em1) is pinging ISP modem internal interface.

    from the suricata log

    04/26/2016  22:03:56 2 ICMP Attempted Information Leak SOURCE.IP    8 DESTINATION.IP  0 1:2100469  GPL SCAN PING NMAP

    If I do a tcpdump on the em1 interface

    I see continuous pinging.

    21:37:40.212064 IP (tos 0x0, ttl 64, id 55590, offset 0, flags [none], proto ICMP (1), length 28)
        SOURCE.IP  > DESTINATION.IP: ICMP echo request, id 18862, seq 1229, length 8
    21:37:40.212478 IP (tos 0x0, ttl 64, id 9112, offset 0, flags [none], proto ICMP (1), length 28)
        DESTINATION.IP > SOURCE.IP: ICMP echo reply, id 18862, seq 1229, length 8

    How can i track down and stop whatever is doing this.

  • It's most likely the gateway monitoring feature of pfSense. It doesn't usually ping modems, unless they're acting as routers (and would thus be a default gateway for pfSense). You can change the IP address pinged for monitoring purposes under System > Routing, then changing the Monitor IP for that gateway.

  • Wow. That worked.
    I disabled it altogether, "to consider" the isp modem/router up.

    I have been oblivious to this and its the first time i am seeing such entries in suricata log.  A ping ever 5 seconds or 10 seconds I understand but continuous pinging like multipe times per second isnt that like performing a ddos on the isp modem?  Is it safe to have that enabled?
    It just fills the suricata log with junk.
    Is it a recent feature?

  • Ahhh I see in advance features the default is set to 500ms.
    Whats a useful setting to set it too.  Like once every 12 hours?

  • That's always been done. Its interval is adjustable under System>Routing, edit the gateway. The default is 2 per second in 2.3 (with a 0 byte payload, so a trivially small amount of data), 1 per second in 2.2.x and earlier (at default payload size, so less bandwidth used in 2.3). If you aren't using multi-WAN (where you might need fast failover), then once a second or once every few seconds might be fine. You definitely don't want it set to hours or even minutes, it'll lose all its usefulness at that kind of interval.

    No it won't DoS anything.

    If your Suricata config is logging every ping, it's not exactly sane. It's pointless to have that, even without gateway monitoring it'll just log useless noise.

  • Thanks!
    I'll re-enable it for 1 time per second and disable that rule in suricata.

    No i its not a fancy setup just connected to the ISP fiber router/switch/modem.