Hi,
Recently configured my first OPNsense router and from my point everything works. Yesterday I looked into Firewall logs and I saw strange IP being blocked. I tried to capture this IP on all interfaces to get some more info but it is not showing in captured packets. I guess that it not showing there because it gets filtered by firewall before packets being captured OR it is something internal to OPNsense making this requests (i think this one is true).
So IP mentioned is 192.168.20.1:67 (source) and 192.168.20.107:68 (destination) UDP.
Problem is, my network has 192.160.96/20 IP range, my previous network configuration (before OPNSense) was typical 192.168.1.0/24 (so 192.168.20.1 is also not from some device that I forgot to reconfigure).
Any idea what is it? Should I allow it in my Firewall rules?
More info on screenshots.
That's a DHCP reply from a server running on 192.168.20.1 to a client assumed to be at .107.
Seems like you have a DHCP server running on 192.168.20.1. To investigate, you could configure a machine statically to that subnet and try to scan that IP. You should be able to see the MAC and potentially more, if a web interface is offered.
To see the MAC address using tcpdump -e should be sufficient.
Sorry for super late response.
I was monitoring my network and cleaning up some forgotten devices (to reconfigure them to my new network settings).
I did tcpdump like pmhausen suggested and now I'm 100% sure this request comes from within OPNsense
tcpdump -e -nn -i bridge0 > tcp3.dump
09:14:21.790999 24:f5:a2:a6:72:2c > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 420: vlan 4, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 24:f5:a2:a6:72:2c, length 374
09:14:21.791968 24:f5:a2:a6:70:60 > 24:f5:a2:a6:72:2c, ethertype 802.1Q (0x8100), length 346: vlan 4, p 0, ethertype IPv4, 192.168.20.1.67 > 192.168.20.107.68: BOOTP/DHCP, Reply, length 300
I'm not using vlans anywhere in my network. What can I do with it? Why this is happening?