Firewall/NAT

Hi,

I've been using M0n0Wall for over 18 months and it works brilliantly. I use WallWatcher and remote logging on another computer to watch traffic and save logs.

Yesterday around 5pm I added two new users to the PPTP user group (have been using PPTP for over 1 year) and everything seemed fine. That was the only change I have made to m0n0 in the last few months.

Then just before 8pm last night, the WallWatcher logs started flooding with the following traffic and I can't figure out why, or what the source is:

2007/04/19 20:12:02.65   I udp   0.0.0.0      68 255.255.255.255 67
2007/04/19 20:12:02.65   I udp   192.168.1.254   67 255.255.255.255 68
2007/04/19 20:12:02.65   I udp   0.0.0.0      68 255.255.255.255 67
2007/04/19 20:12:02.66   I udp   192.168.1.254   67 255.255.255.255 68
2007/04/19 20:12:03.66   I udp   0.0.0.0      68 255.255.255.255 67
2007/04/19 20:12:03.66   I udp   192.168.1.254   67 255.255.255.255 68

It's just going insane. I've check previous logs and never seen any activity like this?

I would say it was adding the 2 extra users, but then why was there a 3 hour delay between adding the usrers and the begin of the flood?

Can anyone help me here?

Unrelated, that's from a DHCP client it appears. What's 192.168.1.254? And what exactly are the raw logs m0n0wall is sending?

192.168.1.254 IS the PPTP server on m0n0wall.

When I created the PPTP server in m0n0wall, it used 192.168.1.254 as the default address.

Here's the report out of m0n0wall logs that looks basically the same as the raw-dump from Wallwatche I posted earlier.

I do believe this is something to do with PPTP server.

Yeah if that's your PPTP server IP, that definitely seems to be PPTP related. I guess it happens after one of these new users connects? Does it happen for all users, or just specific ones? Any user on a specific machine, or one user on any machine, or?  I've never seen or heard of that happening, try to narrow down the problem to a specific cause, then a solution may be more apparent.

The weird thing is.....there are NO users connected. I have a total of 6 PPTP users and none of them have connected in the last 2 days.

Which makes this even stranger....

Like I said....I added two users yesterday....3 hours later this flooding began....I deleted both user accounts and it's still flooding. I've shut down all systems on the LAN side (there's only about 6 computers on this network) and the traffic is still occurring.

I've turned off the PPTP server and every device on the network and I still see this traffic in the m0n0wall log.

I'm starting to think this is a bug in m0n0.

I might backup my config now and restore to default and see if it still occurs.

Please, if anyone has any ideas or suggestions on this let me know.

OK. Problem seems to have abated for the moment. I went to my rack mounted hub and started pulling out everything that had a link light and then began reconnecting and the problem seems to have stopped.

The only thing I can think is that maybe it was freaked wake-on-lan device or something.

I'll keep an eye on it and if it comes back again I'll add to this post.

.....very very very strange....

OK. Resolved.

An Axis print server glitched. While it still had an IP address assigned to it, it had reverted to BOOTP being enabled and was flooding the network with BOOTP calls.

The 0.0.0.0 really was the clue that there was a network client crying for an IP.