Below is a small snippet of the logs that this pfsense generated. We send them to a linux host to be captured via syslog. This started Monday and I noted the destination address was 224.0.0.x
The troubling part to me was the middle set of packets tagged IGMP. Again, having never seen this before I did some research via Google and did find the culprit(s) on this network. We have a conference room that is using by the company auditors during their annual review of the books. The company being audited has nothing Microsoft newer than WinXP, so their network is not generating any of this traffic. But the auditors have brand new shiny laptops running Win7. We have a Cisco 1841 facing the Internet and our own public ip subnet. For the conference room, we put a Linksys router in to give people (sales people doing demos and the auditors) easy access to the Internet without compromising the company's internal network. So the LAN side of the Linksys only feeds the data jacks in that conference room and is separate from the rest of the company's internal network. The Linksys router we use for them to access the Internet is too stupid to know what to do with those multicast packets and forwards them into our public ip subnet. The Netgear switch is correctly(?) handling them as multicast packets and sending them to everyone on the public IP switch. And pfSense is tagging these packets, possibly incorrectly. I discovered that pfSense has a packet capture feature and I used that. I installed WireShark on my workstation and it can decode the packet capture. The MAC address in those packets was that of the Linksys router. Match! Is there a bug in pfSense(1.2.3rc1) that it was tagging the one set of packets as IGMP? One other reason for forwarding this info is for the entertainment of others that may suddenly find this stuff in their logs and wonder what it is. I have lurked on this list for a while and have not seen this mentioned before. This is normal traffic coming out of Vista and Win7 machines and is used for it's network mapping functions. Thanks, Lyle Giese LCR Computer Services, Inc. Mar 16 06:59:26 vpngw pf: 20. 447477 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 30294, offset 0, flags [none], proto UDP (17), length 53) 66.253.101.30.54219 > 224.0.0.252.5355: UDP, length 25 Mar 16 06:59:27 vpngw pf: 109153 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 7750, offset 0, flags [none], proto UDP (17), length 53) 66.253.101.30.54219 > 224.0.0.252.5355: UDP, length 25 Mar 16 06:59:37 vpngw pf: 10. 747937 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 57677, offset 0, flags [none], proto UDP (17), length 53) 66.253.101.30.56951 > 224.0.0.252.5355: UDP, length 25 Mar 16 06:59:37 vpngw pf: 107564 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 27935, offset 0, flags [none], proto UDP (17), length 53) 66.253.101.30.56951 > 224.0.0.252.5355: UDP, length 25 Mar 16 06:59:47 vpngw pf: 9. 387961 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 10309, offset 0, flags [none], proto UDP (17), length 52) 66.253.101.30.57072 > 224.0.0.252.5355: UDP, length 24 Mar 16 06:59:47 vpngw pf: 094776 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 27446, offset 0, flags [none], proto UDP (17), length 52) 66.253.101.30.57072 > 224.0.0.252.5355: UDP, length 24 Mar 16 07:00:49 vpngw pf: 61. 813473 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 45355, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.54544 > 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:49 vpngw pf: 106967 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 51721, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.54544 > 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:52 vpngw pf: 2. 790296 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 43038, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.53319 > 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:52 vpngw pf: 094111 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 13098, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.53319 > 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:54 vpngw pf: 2. 662042 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 45163, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.59147 > 224.0.0.252.5355: UDP, length 26 Mar 16 07:00:54 vpngw pf: 098603 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 13426, offset 0, flags [none], proto UDP (17), length 54) 66.253.101.30.59147 > 224.0.0.252.5355: UDP, length 26 ----------bunch deleted------------------- Mar 16 07:03:24 vpngw pf: 26. 844176 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 7356, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 66.253.101.30 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] Mar 16 07:03:24 vpngw pf: 078830 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 30711, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 66.253.101.30 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] Mar 16 07:03:24 vpngw pf: 234324 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 41368, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 66.253.101.30 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] ----------bunch deleted------------------ Mar 16 16:35:17 vpngw pf: 1. 519699 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 3956, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 66.253.101.30 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] Mar 16 16:35:17 vpngw pf: 010817 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 31836, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 66.253.101.30 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] Mar 16 16:35:17 vpngw pf: 013488 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 2154, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 66.253.101.30 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] Mar 16 16:35:17 vpngw pf: 003811 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 16475, offset 0, flags [none], proto UDP (17), length 51) 66.253.101.30.51568 > 224.0.0.252.5355: UDP, length 23 Mar 16 16:35:17 vpngw pf: 105444 rule 95/0(match): block in on fxp0: (tos 0x0, ttl 1, id 20996, offset 0, flags [none], proto UDP (17), length 51) 66.253.101.30.51568 > 224.0.0.252.5355: UDP, length 23 --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
