1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Toastman builds: Odd Syslog Behavior?

Discussion in 'Tomato Firmware' started by gfunkdave, Jan 13, 2012.

  1. gfunkdave

    gfunkdave LI Guru Member

    Back in the dark ages when I ran stock Tomato 1.28 on a WRT54GL, I liked to set the inbound connection logging to log WAN-to-LAN connections that the router's firewall allowed. I've noticed in the Toastman builds, however, that the log quickly gets full of things like this:

    Code:
    Jan 13 09:25:14 router user.warn kernel: ACCEPT IN=vlan2 OUT= MACSRC=00:24:c4:27:81:d9 MACDST=ff:ff:ff:ff:ff:ff MACPROTO=0800 SRC=10.22.64.1 DST=255.255.255.255 LEN=399 TOS=0x00 PREC=0x00 TTL=255 ID=34489 PROTO=UDP SPT=67 DPT=68 LEN=379
    It seems this is someone or something trying to broadcast to my LAN on UDP port 68. Is there a way to make the log only show actual connections, as it used to? Also, what are these weird UDP connections and why is the firewall allowing them through?

    Edit: The source MAC is the same as the MAC of my WAN gateway - not my cable modem but whatever the cable modem talks to. But the reported IP in the log (10.22.64.1) is different than the IP that shows for that MAC in the Active Devices page. Not sure what's going on there.

    Thanks!
     
  2. marshcroft

    marshcroft Networkin' Nut Member

    Port 67 and 68 are for DHCP, do you have a separate DHCP server or is the router have the DHCP role?
     
  3. gfunkdave

    gfunkdave LI Guru Member

    The router is my DHCP server.
     
  4. marshcroft

    marshcroft Networkin' Nut Member

    ok is 10.22.64.1 your router IP by any chance?
     
  5. marshcroft

    marshcroft Networkin' Nut Member

    so I looked more into the IP itself, and found this from Cisco
    http://www.tek-tips.com/viewthread.cfm?qid=882585

    The 10.22.64.1 is a temporary IP that you getting before being granted the WAN IP from the ISP, hence the DHCP call out with that IP, how often is this showing up on your syslog though?
     
  6. gfunkdave

    gfunkdave LI Guru Member

    Interesting. So you're saying that my router (an E3000) somehow gets that 10.22.64.1 address temporarily before it gets a real one?

    These lines overwhelm the log when I enable Accepted connection logging. There is literally nothing else left in the log except these connections. It persists long after the router has received an IP from the cable modem - my usual IP starts with 207. Also, the cable modem is Motorola Surfboard - not a Cisco modem. I'm not sure if that's what you meant.

    Thanks
     

Share This Page