Firewall log full of internal ICMP

[FWMan]

Hi, I've noticed according to the firewall log an internal address is trying to ping itself constantly! This is very strange. See attached

My network is 192.168.0.1/24. I've checked ARP table and it only shows 192.168.0.x addresses as expected. Also checked routes and there is nothing for anything 10.x.x.x.

I wondered if it was something to do with VPNs, so I actually disabled both the OpenVPN and WireGuard services and its still continuing.

I downloaded the config XML and searched for 10.67.28.140 and 10.67 in and there is nothing found.

I don't have many plugins just ntopng.

Any ideas?

Thanks

[Patrick M. Hausen]

Use

Code Select Expand

tcpdump -i <interface> -n -e icmp

to find the source MAC address and look up the vendor prefix here:

https://www.macvendorlookup.com

That should give you a hint about the device. You have a misconfigured $something connected to your network.

[FWMan]

Use

Code Select Expand

tcpdump -i <interface> -n -e icmp

to find the source MAC address and look up the vendor prefix here:

https://www.macvendorlookup.com

That should give you a hint about the device. You have a misconfigured $something connected to your network.

Thanks for reply, what am i doing wrong here? it's on the LAN interface...

root@OPNSense:~ # tcpdump -i LAN -n -e icmp
tcpdump: LAN: No such device exists
(No such device exists)
root@OPNSense:~ # tcpdump -i "LAN (bridge0)" -n -e icmp
tcpdump: LAN (bridge0): No such device exists
(No such device exists)

I tried lowercase etc as well

[Patrick M. Hausen]

Code Select Expand

-i bridge0

[FWMan]

Thanks for your help, found it