Hi, I'm pretty new to all this, so please bear with me. :)
I'm getting flooded with requests from an internal IP I have no knowledge of. As far as I can tell (read google) it is a device wanting an IP?
The IP does not respond to ping.
Interface Time Source Destination Proto Label
WAN Apr 4 15:52:43 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:43 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:42 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:41 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:40 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:39 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:38 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:38 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:38 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:38 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:38 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:38 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:37 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:37 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:36 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:36 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:36 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:36 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:35 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:35 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
WAN Apr 4 15:52:35 10.233.128.1:67 255.255.255.255:68 udp Block private networks from WAN
My network config:
OPNsense ip: 10.0.0.1
Subnet: 10.0.0.0
Subnet mask: 255.255.0.0
Available range 10.0.0.1 - 10.0.255.254
DHCP Range: 10.0.0.100 - 10.0.0.150
Please let me know if there is any other information I should provide.
Thanks.
What type of Internet connectivity do you have? DHCP / PPPoE / static / ...? Public IPv4 or CGNAT?
(This has nothing to do with your LAN. The packets are coming from a DHCP server on the WAN side (Internet). They are blocked by OPNsense because you should not have packets with private IP addresses coming in from the Internet.)
My guess would be: Your WAN interface is configured as DHCP client and your ISP uses private IP addresses (CGNAT). So the "device wanting an IP" is actually your OPNsense router.
Thanks for the explanation, but I'm pretty sure my ISP provides me with a public IP.
My OPNsense box is connected to a cable modem, and gets an ip via DHCP. The Wan DHCP is: 84.209.X.X and my public IP is 84.209.X.X.
Wonder what it could be. From the IP address it does not look to be a consumer product.
I'm getting 3-4 of these requests per second. Will it have any performance impact?
If the only thing on the WAN side is your cable modem, it would appear to be that, If you have an ordinary switch, just pop that in place of the modem, it will keep the WAN port up but the packets should disappear.
Is the modem in bridge mode?
It's most likely your ISP's DHCP server. Those sometimes use private IP addresses, even if they hand out public addresses.
Have a look in Services / DHCPv4 / Log File. You might find lines like this:
dhclient[28340]: DHCPREQUEST on hn1 to 10.233.128.1 port 67
This would be OPNsense sending a request to the DHCP server. If so, you might want to disable the firewall rule by unchecking Block private networks in Interfaces / WAN.
Yes,
Cable modem --> OPNSense --> Switches (one for wireless, and one for wires – dhcp off on both) --> devices
The cable modem is pretty basic, and can only be in bridge mode afaik.
Cablemodem specs:
- Cisco EPC3010 EuroDocsis 3.0 Data Modem (https://www.cisco.com/c/dam/en/us/td/docs/video/at_home/Cable_Modems/3000_Series/4030802_C.pdf) (link to product manual pdf)
- Default ip: 192.168.100.1
Copy paste from status page:
Model: Cisco EPC3010
Vendor: Cisco
Hardware Revision: 1.0
MAC Address: <removed>
Bootloader Revision: 2.3.0_R1
Current Software Revision: e3000-c1000r5593-150429c
Firmware Name: e3000-c1000r5593-150429c.bin
Firmware Build Time: Apr 29 13:32:31 2015
Cable Modem Status: Operational
Cable Modem State:
DOCSIS Downstream Scanning: Completed
DOCSIS Ranging: Completed
DOCSIS DHCP: Completed
DOCSIS TFTP: Completed
DOCSIS Data Reg Complete: Completed
DOCSIS Privacy: Enabled
EDIT:
@Maurice
I checked the DHCP v4 log for the IP, and two old entries showed up:
Mar 28 20:19:34 dhclient[30019]: DHCPACK from 10.233.128.1
Mar 23 21:37:13 dhclient[29618]: DHCPACK from 10.233.128.1
Does that help any?
Quote from: nle on April 05, 2018, 12:14:47 AM
I checked the DHCP v4 log for the IP, and two old entries showed up:
Mar 28 20:19:34 dhclient[30019]: DHCPACK from 10.233.128.1
Mar 23 21:37:13 dhclient[29618]: DHCPACK from 10.233.128.1
Does that help any?
Yes. It shows that 10.233.128.1
is your ISPs DHCP server. This is where you get your public IP address from. Just disable the firewall rule like mentioned in my previous post. (Or, if you want to be more specific, you could create a rule allowing only incoming UDP packets to port 68 from this IP address.)
Thanks a lot! I'll be sure to test and do that tomorrow morning.
Just jumped in bed. :)
Sent from my iPhone using Tapatalk Pro
I first tried setting a FW rule allowing port 68 which was my first choice, but I did not manage to get that to work. Then I allowed private networks on the WAN interface and that worked.
At least I found the reason, and I just need to learn more about setting up rules another day.
Thanks for all the help!