My log reports router attempt every two minutes..what is it?

I have a linksys router and in CPF I have ID 0 and 1 allowing my LAN zone- at first I had my LAN zone range as: to

but today I decided to tighten the range to: to

My LAN zone is ID 0 and 1. I have only one block rule, on ID3:

Block & Log | IP In | Any | Any | Where IPPROTO is Any

When I tightened the LAN zone, the log started reporting this about every two minutes:

Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Incoming
Reason: Network Control Rule ID = 3

My router is on What is it trying to access at IP 224.0.01? And what is that IP? Should I allow it? Everything seems to be working ok.

G’day Mike,

Quick question for you - if your router is in the 192.168.1.X subnet, why isn’t it in the same zone as the PCs in the same subnet? The router is part of your LAN and should be included in the same zone as the PCs that connect through it.

If you want to be really, really tight, give your PCs static addresses of,, 192.168.4 etc. Then make your zone from to (assuming your have three PCs).

If you used the wizard to create a zone and set it as a trusted zone, you shuld have ended up with more than 3 rules. From memory, you should have ended up with about 7 rules.

My suggestion would be to

  1. Temporarily disconnect from the internet
  2. Delete the three rules you currently have in the Network monitor
  3. Allocate static IPs to your PCs
  4. Redefine the zone using the wizard, setting the addresses to match the routers/PCs addresses
  5. Set that zone as trusted
  6. Reboot your PC
  7. Reconnect to the internet after rebooting your PC.

This will automatically create the appropriate rules.

The ip resolves to ALL-SYSTEMS.MCAST.NET ( is located in Marina Del Rey, California, United States.

Is it possible this is your ISP?

Hope this helps,
Ewen :slight_smile:

Those addresses are part of the Cicso IOS(router and switch operating system). It is part of the new IGMPv2 standard and is used by Linksys routers also, as they are owned by Cisco. I don’t know whether other brands use it or not. I’m guessing they do as it is a standard. They are for intranetwork communication. Here is a webpage that sheds some light on how it operates:


Ok, I did what you recommended and created static IP’s on my 3 pc’s, range (router) to

I deleted the rules I made, and made a new trusted zone with the new range. I think it created 0 and 1 (not 7 rules)

Here is what I have now:

Rule 2 is for netmeeting.

Rule 3 worries me- is this opening all tcp ports? I had made a Block IP in Any rule, because I thought I needed it, do I?

I still think the router may be pinging out to, and it’s not my ISP. Should I block



Take a look at this link:,1125.msg30093.html#msg30093; it specifically addresses the current default rules, and what rules should be added when you run the Network Wizard. Your rules look a little out of whack to me; not sure how they got that way, but you for sure want a block rule at the bottom… (the whole thread about Network Control Rules is worth the time, imo)

The IP is part of the IGMP multicast block; if this is in play apparently you’re multicasting. Jasper has indicated that this is used by the Linksys router, which could mean it’s a communication “internal” to your LAN. I can’t direct you in that area, but I’m sure Jasper or Ewen can help there.


I read that post and understand how rules work now. They are very flexible and just want to make sure I’ve got the defaults I need, since I think I messed up the defaults.

Here’s what I have now:

Better move that Block rule to the bottom… :smiley:

In CPF, the rules work from top to bottom, filtering on the way through. Each connection attempt starts at the top and continues until it’s stopped/reaches its destination. So if your Block rule is in position 4 (rule #3), everything below that is blocked… No connection. :o If you don’t need those rules, then fine; but if you do… more :o

Keeping in mind the following:

An “In” rule applies to an inbound connection request.
An “Out” rule applies to an outbound request. When a website returns information to your browser, although this is direction “In” it’s not an inbound request; it’s in response to your outbound request.
All Application Rules work within the confines of your Network Rules, so opening up “Out” communication doesn’t mean that just any application can connect; it can only connect if it’s allowed to do so in a way that lines up with the Network Rule.


You are right about the addresses being multicast Little Mac. What is using the address is Upnp and SSDP services. I also see going to my wireless router if I have those services enabled. If you disable SSDP and Upnp under services on your PC you won’t see those addresses anymore as that is where all the traffic is being initiated.

Sorry for getting everything off of the subject here Mike77, but I have seen quite a few threads asking about what that address does and is it needed. I personally have those services disabled now as I don’t need them for anything and am having no trouble.

Now let me get out of the way here and let these guys finish helping you Mike77.

(:TNG) (:AGY)


Yeah, I have those disabled as well. Security risk and all…

If you don’t know that you need to multicast, or otherwise specifically need those services, they can be safely disabled (along with many others…).

If you’re just a home user, and not doing online gaming, there are things you just don’t need…

But that’s all kind of a side issue…


I moved the block down, how’s this look?

Is this the right defaults- except #2 which I created for netmeeting to work.

Thanks, Mike

Thanks for the info. I searched for info and found this site that discusses Upnp in detail:

Much better! ;D Looks like that matches the defaults pretty well, unless my eyes deceive me…

Regarding the NetMeeting, do you initiate the connection, or does someone else/some other machine? Cuz if UR the one to start the connect, I’d take the “In” off the rule, and leave at just “Out” (unless that proves to interfere).

I don’t use NetMeeting or communicate with other computers on a LAN; my only “In” rule is to block; all other rules are “Out.” If I need a remote response, it comes following my “Out” request for an “In” response.


Hey Mike,

That looks much better. Let us know if this rule set works for you and we’ll tag this topic as resolved.

Thanks Jasper and LM. Your help is much appreciated.

Ewen :slight_smile:

I provide software support and remote nemeeting users call me via netmeeting when we decide on phone if needed. I give them my IP and they initiate a netmeeting to me. I have several dozen to support so I dont want to keep track of their IP#'s. Netmeeting establishes a different tcp port each use, so I had create a range of open tcp ports. I observed netmeeting in the log trying to open a port up in the 50000 range once, but I’m only keeping a range of open tcp at 1057-4999 for now, and it seems to be working so far.

All is working ok and I no longer have the router logging every two minutes- but is this only because I put the router in my safe LAN zone range? What if the router is still trying to access every two minutes?

Shouldn’t I create a Block IP In for my router? I never thought my router itself would be trying to go out on it’s own to the internet. Is it still doing so? To find out should I take it out of my safe range temporarily as a test?

Your rule ID 2 should be set to just IN. You already have a general “any” rule for out.
You can also set destination as zone.

Since you are using netmeeting, i’m not sure if that count’s as streaming audio/video (multicast) in your case… ?
You can try to set a block rule for it, and if it doesn’t work, just change it to allow.

Right click the default block rule and choose add/add before
The rule for IGMP would look like this.
Action : Block (or Allow)
Protocol : IP
Direction : In
Source IP : Any
Destination IP : Any
IP Details : IGMP

Remember to restart CF.

Some routers (mine) does have a option to enable or disable multicast broadcast.