OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: Hansiii on January 04, 2024, 02:46:13 pm
-
I have the following problem. On my opnsense I discovered the following in the firewall live view. Since my internet often hardly works as a result, I need a solution.
(https://i.ibb.co/vZx9tKk/Screenshot-2024-01-04-143932.png) (https://ibb.co/0hj5wdr)
I don’t understand the src and dst. src is my public IP and dst are the registered servers. Is the scan now coming from outside or over my network. I have already done a package capture on all interfaces, but only discovered the port scan on the wan interface. I have also already tried to block the port scan with suricata, but without success, probably because of my own IP, right?
-
I have the following problem. On my opnsense I discovered the following in the firewall live view. Since my internet often hardly works as a result, I need a solution.
(https://i.ibb.co/vZx9tKk/Screenshot-2024-01-04-143932.png) (https://ibb.co/0hj5wdr)getting over it (https://gettingoverit.io)
I don’t understand the src and dst. src is my public IP and dst are the registered servers. Is the scan now coming from outside or over my network. I have already done a package capture on all interfaces, but only discovered the port scan on the wan interface. I have also already tried to block the port scan with suricata, but without success, probably because of my own IP, right?
https://forum.opnsense.org/index.php?topic=18282.0
Maybe this link is useful to you.
-
that doesn't look like a scan from the internet into your firewall but instead traffic out from it.
From left to right: Interface is WAN. Then the arrow tells you is in direction OUT and is confirmed by the text of that default rule "left out anything from firewall...". The source ip will be your LAN clients on random port.
The destination is the IP:port . In this case, it has all the hallmarks of the outbound leg of your lan clients' DNS queries.
-
Thanks for your answer. My assumption is also that something is wrong in my network. Unfortunately it is not clear when this happens. Which client is sending an extremely large number of requests in a very short time on tcp and udp with floating ports and is extremely disrupting the Internet connection about 30 mins? I have a LAN interface with a local ip range and would like to find the cause. That's why I did a package capture on the LAN interface, but couldn't find anything. There are no similar ports to be found. Could it be something on the opnsense or the china hardware itself? Is ips already working on pppoe? Are there any other possibilities besides a package capture to analyze this? Maybe unplug all devices one by one as it happens.
-
the ip of the client sending the request is the one you have masked on your post. The source port will be randomised. You should be able to trace the client from this ip in the DHCPv4 leases page.
-
The masked IPs are my public IP from the isp on WAN Interface. That’s what I am not rly understand.
-
Eh!. The direction is OUT, right ?
I imagine you have Systems | Settings | Logging: Either "Log packets matched from the default pass rules put in the ruleset " or "Log packets processed by automatic outbound NAT rules " or both enabled.
If yes, then as I wrote, what you see is the outbound leg of your client queries going out of the WAN interface. This is what you would expect.
Edit: additional info
-
(https://i.ibb.co/Q6Ln8JL/Screenshot-2024-01-05-135517.png) (https://ibb.co/JzV2xcV)
Yes to your answer. The masked ip is my public ip. I can't find the causer in my local network. How can i get the local ip of this traffic and how can I set up an IPS on a PPPoE WAN connection? If this is not possible, I may need to revert to using my ISP’s router.
-
You should have matching connections on the LAN (or some other internal) interface. These are just outbound NATed connections.
-
Exactly and furthermore, you don't need to enable this logging unless you are diagnosing as you double the writes for the same thing.
See, the client on lan is going out to internet. The request goes IN LAN interface, the router OPN NATs it before sending it OUT via WAN. This is why you see these this way.
So, if you know this, you can disable this log, knowing that every request IN, unless blocked/rejected by the firewall/router, will have a corresponding OUT of WAN.
Now we know this, just need to switch to logging the LAN traffic. So untick this logging, switch back to the live traffic and you're looking for all the traffic labelled "Default allow LAN to any rule" unless you've changed the default.