Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Identifying APIPA hosts from firewall logs
« previous
next »
Print
Pages: [
1
]
Author
Topic: Identifying APIPA hosts from firewall logs (Read 155 times)
EricPerl
Jr. Member
Posts: 85
Karma: 1
Identifying APIPA hosts from firewall logs
«
on:
October 06, 2024, 11:12:14 pm »
I've been experimenting with OPNsense for a few days.
It's refreshing to get a firewall that provides logging... Compared to TP-link ACLs.
I use OPNsense as a transparent filtering bridge between my router and main switch.
Anyway, I've got couple questions related to entries in the logs for hosts with APIPA addresses.
The first set corresponds to an internal address of my router. The packets seem to be replies to DNS requests (source port is 53 and destination is a random port on a PC). I found one entry corresponding to a request from PC:random to router:53. I assume that connection can be reused for multiple DNS queries.
Question #1: It's normal that I don't see replies from router:53 to PC:random, right?
And that's because everything exchanged over that allowed and established connection is not only allowed but not subject to logging.
But I might see traffic router:53 to PC:random if it happened after the connection closed or was idle too long (from the firewall's perspective)?
I see APIPA:53 to PC:random within a minute of PC:random to router:53.
And that traffic would get blocked and logged anyway because it doesn't match any allow rule.
Question #2: I have discovery queries from another API address.
I suspect a device that failed to get IP via DHCP.
Is there a way to extract a MAC address from what's logged?
Maybe I can identify the source from info in my DHCP server...
I'd rather not resort to captures to find it. And if it's wireless, I'm toast.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Identifying APIPA hosts from firewall logs