Firewall blocking strange local IP on port 68

Started by sebeksd, April 29, 2022, 12:55:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 29, 2022, 12:55:35 PM
Hi,
Recently configured my first OPNsense router and from my point everything works. Yesterday I looked into Firewall logs and I saw strange IP being blocked. I tried to capture this IP on all interfaces to get some more info but it is not showing in captured packets. I guess that it not showing there because it gets filtered by firewall before packets being captured OR it is something internal to OPNsense making this requests (i think this one is true).
So IP mentioned is 192.168.20.1:67 (source) and 192.168.20.107:68 (destination) UDP.
Problem is, my network has 192.160.96/20 IP range, my previous network configuration (before OPNSense) was typical 192.168.1.0/24 (so 192.168.20.1 is also not from some device that I forgot to reconfigure).

Any idea what is it? Should I allow it in my Firewall rules?
More info on screenshots.
April 29, 2022, 04:56:33 PM #1
That's a DHCP reply from a server running on 192.168.20.1 to a client assumed to be at .107.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 29, 2022, 05:10:48 PM #2
Seems like you have a DHCP server running on 192.168.20.1. To investigate, you could configure a machine statically to that subnet and try to scan that IP. You should be able to see the MAC and potentially more, if a web interface is offered.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
April 29, 2022, 11:23:08 PM #3
To see the MAC address using tcpdump -e should be sufficient.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 09, 2022, 09:36:53 AM #4
Sorry for super late response.

I was monitoring my network and cleaning up some forgotten devices (to reconfigure them to my new network settings).
I did tcpdump like pmhausen suggested and now I'm 100% sure this request comes from within OPNsense

tcpdump -e -nn -i bridge0 > tcp3.dump

09:14:21.790999 24:f5:a2:a6:72:2c > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 420: vlan 4, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 24:f5:a2:a6:72:2c, length 374
09:14:21.791968 24:f5:a2:a6:70:60 > 24:f5:a2:a6:72:2c, ethertype 802.1Q (0x8100), length 346: vlan 4, p 0, ethertype IPv4, 192.168.20.1.67 > 192.168.20.107.68: BOOTP/DHCP, Reply, length 300

I'm not using vlans anywhere in my network. What can I do with it? Why this is happening?
Print
Go Up Pages1
User actions