Interesting, and educational. I’ve worked small company LAN setups, which generally follow the textbook guidelines. What’s being discussed is not the usual kind of textbook stuff.
While it is true that the RFC 1918 address spaces (10.x.x.x, 172.[16-31].x.x, 192.168.x.x) don’t, or shouldn’t, be routed on the Internet, within a corporate LAN like that of an ISP those addresses are reasonable to expect. I’ve seen that kind of use for secured areas, like the bookkeeping department, but I’ve never run into it being exposed to customer space. It makes for chance for customer private allocation collision, or worse, spoofing.
One thing stood out in the log extract that housiemousie2 posted. All that traffic seemed to be just one kind of DHCP packet, from a server out to a booting client.
Wild speculation on my part, is that the ISP is doing some form of DHCP load balancing. This 10.249.64.1 is broadcasting addresses, and as a customer machine boots, that customer sees whatever offered address is in one of these broadcast packets, and then in turn handshakes to the actual DHCP server identified in the packet. That would explain the 22 meg of log data in a matter of minutes. The actual traffic would have to be examined to confirm or deny this is a valid guess or not.
It would also mean that CFP rules for this ISP in particular, and maybe cable modems in general, would be a little different. Maybe something like this:
remembering the DHCP server is port 67, and the booting client is port 68
allow out protocol UDP from host 0.0.0.0 port 68 to host 255.255.255.255 port 67
allow in protocol UDP from host 10.0.0.0 mask 255.0.0.0 port 67 to host 255.255.255.255 port 68
allow out protocol UDP from myhost port 68 to host 255.255.255.255 port 67
allow in protocl UDP from myLAN port 67 to host 255.255.255.255 port 68
allow in&out protocol UDP from myLAN to myLAN
This handles two distinct cases: when the offering DHCP server is outside the LAN, and client renews from inside the LAN, and the customer LAN has multiple hosts.