I am looking for some guidance on how to isolate what may appear to be a rogue IP/Client lingering in my network.
My DHCP network is configured as the following:
172.20.30.0/25
IP Pool is configured as:
172.20.30.10-172.20.30.100
On my Firewall/Connections, I am seeing multiple source clients on the LAN attempting to reach what appears to be the following ip/port within my network.
172.20.30.127:137
172.20.30.127:138
Examples below:
Code: Select all
/ip firewall connection> print
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
# PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS ORIG-BYTES REPL-BYTES
125 C udp 172.20.30.96:138 172.20.30.127:138 3s 0bps 0bps 2 0 440 0
126 C udp 172.20.30.96:137 172.20.30.127:137 3s 0bps 0bps 4 0 312 0
343 C udp 172.20.30.57:59957 172.20.30.127:15600 8s 0bps 0bps 1 0 63 0
198 C udp 172.20.30.57:33124 172.20.30.127:15600 3s 0bps 0bps 1 0 63 0
102 C udp 172.20.30.20:137 172.20.30.127:137 3s 0bps 0bps 1 0 96 0
Given that NetBIOS operates on 137/138, I thought to myself, could there be something bigger going on here given that the destined IP of 172.20.30.127 does not exist on my IP pool? I went as far as disabling NetBIOS on my network by adding a DHCP option below and applying it to my dhcp network configuration to no resolve. The option appears to be functioning, but the requests continue on my firewall. I may be taking the wrong approach here but would appreciate anyone's input.
.
.
Code: Select all
/ip dhcp-server option> print
# NAME CODE VALUE RAW-VALUE
0 microsoft-disable-netbios-option 43 0x010400000002 010400000002