DHCP ACK sends out WPAD address on interface with Windows 7 client

[chemlud]

Hy!

Have here a Win 7 on his own LAN with no connection to the internet. After fresh install of 20.7.4 some days ago I started to see alerts (drop) in suricata on this special interface,

Code: [Select]

Content match Service Suricata_alert

Date:        Mon, 09 Nov 2020 04:38:55
Action:      alert
Host:        OPN0518.myOPNsenseDomain.home.arpa
Description: content match:
{"timestamp":"2020-11-09T04:36:59.210662+0100","flow_id":1511934677169894,"in_iface":"em1^","event_type":"alert","src_ip":"aaa.bbb.ccc.1","src_port":67,"dest_ip":"aaa.bbb.ccc.14","dest_port":68,"proto":"UDP","alert":{"action":"blocked","gid":1,"signature_id":2022915,"rev":1,"signature":"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel","category":"Generic Protocol Command Decode","severity":3,"metadata":{"updated_at":["2016_06_24"],"created_at":["2016_06_24"]}},"app_proto":"d
When I do a package capture, I see that the DHCP ACK package for this Win 7 client (aaa.bbb.ccc.14) coming from the OPNsense (.1) has the following info in the end of the package:

Code: [Select]

.....https://wpad.myOPNsenseDomain.home.arpa:443/wpad.dat
What does this mean? I don't want my Win 7 to be tunneled via a proxy on my OPNsense to the interwebs. This makes totally no sense at all to me.

Can somebody enlighten me? :-)

[chemlud]

...I never checked the tick box for

Code: [Select]

Enable Web Proxy Auto Discovery
under the DHCP servers Advanced Settings for this interface. I'm somewhat surprised...