Huge Increase In Firewall Drops

bluzfanmr1

Senior Member
Recently, after having the same Comcast WAN IP for about 2.5 years, my IP changed to a new one. Since then, the number of firewall drops has increased massively to the point of 3-5 attempts, every 3-5 seconds. It used to be I would get a few drops every minute or two. There are only a few hits where the DST is my WAN IP but most of them show a DST of 255.255.255.255. The drops are coming from various IP's but the MAC address is always close to about 5 different numbers such as this:
Code:
May 16 11:47:00 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:0f:08:00 SRC=73.98.97.68 DST=255.255.255.255
May 16 11:46:58 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:e4:08:00 SRC=98.60.201.185 DST=255.255.255.255
May 16 11:46:53 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:02:cc:c0:a8:ca:a4:08:00 SRC=174.56.0.202 DST=255.255.255.255

I think from what I've previously learned here, I can safely ignore this and this is the firewall working as it should. Is that indeed true? Or is there something wrong within my network? I'm just alarmed by the massive increase in the number of hits. What is the purpose of a DST of 255.255.255.255 instead of my WAN IP and why are those showing up in my log?

Thanks for any help or confirmation on this.
 

ColinTaylor

Part of the Furniture
It's just Ethernet broadcast traffic, ignore it. The only odd thing is the variation in IP address ranges, but they all belong to Comcast so I guess that's just their weird internal network design. Maybe they're migrating some of their network equipment.
 

bluzfanmr1

Senior Member
It's just Ethernet broadcast traffic, ignore it. The only odd thing is the variation in IP address ranges, but they all belong to Comcast so I guess that's just their weird internal network design. Maybe they're migrating some of their network equipment.
Thanks for the confirmation, appreciate it.
 

Tech Junky

Very Senior Member
C:\Windows\system32>nslookup 73.98.97.68
Name: c-73-98-97-68.hsd1.nm.comcast.net
Address: 73.98.97.68

C:\Windows\system32>nslookup 98.60.201.185
*** pi.hole can't find 98.60.201.185: Non-existent domain

C:\Windows\system32>nslookup 174.56.0.202
Name: c-174-56-0-202.hsd1.nm.comcast.net
Address: 174.56.0.202

All of them are Comcast IP's located in NM. Seem to be residential IP's from the naming of the DNS. Might be someone doing an nmap scan or something or as stated CC doing some changes to the network.
 

bluzfanmr1

Senior Member
C:\Windows\system32>nslookup 73.98.97.68
Name: c-73-98-97-68.hsd1.nm.comcast.net
Address: 73.98.97.68

C:\Windows\system32>nslookup 98.60.201.185
*** pi.hole can't find 98.60.201.185: Non-existent domain

C:\Windows\system32>nslookup 174.56.0.202
Name: c-174-56-0-202.hsd1.nm.comcast.net
Address: 174.56.0.202

All of them are Comcast IP's located in NM. Seem to be residential IP's from the naming of the DNS. Might be someone doing an nmap scan or something or as stated CC doing some changes to the network.
I did notice that these were all Comcast IP's and, since I live in a condo complex with a very crowded environment, wondered if it could possibly be a nefarious neighbor or someone's infected device. I think I'll report this to Comcast and see what happens. Thanks for the reply.
 

Tech Junky

Very Senior Member
Yeah, with them all in different subnets it's not likely it's neighbors. It could be something on the CC side generating a ping scan of the node you're on to see who's active before they bring it down for maintenance. Since there weren't any malicious complaints about the IP's in question it might just be alert and keep tabs on it for a little while unless you notice an impact. Seems like the router is doing its job though dropping them. Otherwise if you contact them you can ask to purge your MAC and reboot the CM to get a new IP and see if anything changes.
 

RMerlin

Asuswrt-Merlin dev
Seems like the router is doing its job though dropping them.
I would consider disabling logging however if the router is getting a lot of dropped packets, as logging these will put a strain on the router's CPU.
 

bluzfanmr1

Senior Member
I would consider disabling logging however if the router is getting a lot of dropped packets, as logging these will put a strain on the router's CPU.
I was going to say that it is putting somewhat of a load on the router and it's noticeable to me, especially when trying to follow the System Log page. I had to remove scribe, which made things better but messy, then being overloaded with drops.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top