The Firewall | Connections tab is showing connections from a LAN ip 192.168.88.104 (as well x.x.x.105 / 106 / 107 - see attached image) being established with multiple external IP.
This LAN ip 192.168.88.104 (as well as x.x.x.105 / 106 ) do not appear in my list of IP being leased out by DHCP.
I would expect that ONLY ip being leased by DHCP can have valid Firewall Connections - which device can obtain an IP from the DHCP server running on the LAN
interface ?
I want to rule out the possibility that malware is establishing these “rogue connections” via these IPs
Any explanations that could clarify for me would be appreciated greatly
Hello,
You can use address list, whenever a device obtain IP; DHCP places this IP on an address list.
So your NAT - Mascarede rule only does for the Ips that are on this adress list.
To put it even simpler - there is no automatic link between DHCP leases and firewall, so if a device is configured with a static address from your LAN subnet, your firewall rules accept it unless you do what @leoservices has suggested.
Assuming you would know what is connected to your wired network, I guess that you are concerned about wireless devices. There is also the /interface wireless access-list or /capsman access-list (which one is suitable depends on your configuration) which allows you to treat wireless devices individually depending on their MAC addresses.
