[ previous ] [ next ] [ threads ]
 
 From:  "Greg Sims" <greg at headingup dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Version 1.1: Firewall Logging -- Entries Not In Subnet
 Date:  Fri, 18 Mar 2005 08:15:52 -0800
Hi All,

I'm reading through the Firewall Logs of a new installation to make sure it
is stable.  I found something interesting that I was not expecting and
thought I would share it with the community.

The 4801-50 based router is configured with LAN on 10.0.0.1/24, OPT1 on
10.0.1.1/24 and WAN on a public IP.  Here's a typical Firewall Log Entry:

	If: LAN
	Source: 192.168.0.1, port 1900
	Dest: 239.355.355.350, port 1900
	Proto: UDP

I wonder why the LAN interface is seeing address 192.168.0.1 as it is not
part of the LAN subnet.

The next entry in the log is very close in time and contains the same
information but the interface is OPT1:

	If: OPT1
	Source: 192.168.0.1, port 1900
	Dest: 239.355.355.350, port 1900
	Proto: UDP

Again it is interesting that the OPT1 interface is seeing this packet given
the source address (or destination) is not part of the OPT1 subnet.

By the way, these entries are being generated by a D-Link router with LAN IP
192.168.0.1/24 that is connected to the same switch as LAN and OPT1 from the
m0n0wall.

Thanks in advance, Greg