I have a pfSense router at an office I manage. I'm not very familiar with it but I've gone through the options on it and read up about it a bit. I'm having a problem that I'm not sure how to resolve. The ISP has notified the office that there has been malicious requests our IP address directed at other servers. The information they sent shows that the "PORT HIT" was "x.x.x.x:49039->x.x.x.x:23". I found a packet capture on the pfSense and set it to listen on the LAN interface and put 49039 in for the port number. I started the packet capture but I don't see it reporting anything nor do I know where to find the log or output of the packet capture. It looks like this pfSense router is from a July version in 2015 so it looks like the firmware needs to be updated. This router looks very powerful and I'd like to learn more about it. I'm used to using Sonicwalls routers mainly so this is a little different. Oh, and here's a real strange thing that's going on there. I called the ISP and told them that I wasn't sure where the IP address that is reporting the malicious activity is at. The IP on the WAN side of the router ends in 69 and the reporting IP is 71. They said that they were not able to see any devices ARPing to that IP address at that moment.
If I check the WAN IP on one of the networks in the office (there are 7 suites--so there are at least 8 VLANs), it ends in 71. I've scanned all 8 of the computers on that reporting network but nothing came up as infected. On the pfSense router, under Virtual IP Addresses, there are three in there and one is the IP that ends in 71. So, I know where that IP address is setup at. I just don't know how to track down the offender on the network. My main question is, how do I setup monitoring on the pfSense to be able to track down which device is causing trouble? Thanks in advance for your help!