Hello,

so I have been getting these TCP SYN log messages for over a year now.  I have read some guides on using wireshark but couldn't figure it out.

https://community.tp-link.com/en/business/kb/detail/412708

Not sure what it's explaining in step 5) Test verification:.  I assume it's wireshark he's using here, but it doesn't say, but either the guide assumes you already know how to use wireshark or it's incomplete.  And what is meant by PC (controller) just a PC with wireshark? Anyway I don't have an eithernet device other than a bunch of SBC's so Im not messing around trying to install wireshark in docker. and the pictures from what I can see only show local DHCP addresses.  Anyway I gave up and just decided to block all incoming from the WAN.  

So I added 2 ACL rules.

Rule 1 I only permitted the source from cloudflare and destination to all IP

Rule 2 I denied all locations with a location group with all countries added.

My cloudflare self hosted site is working fine,  but still getting the TCP SYN attacks every 10 mins.  and in the firewall rules I have the following

Maybe I made a mistake in my ACL logic, but the main thing that bothers me is that why are the IP addresses not automatically logged for the TCP SYN attacks?

I have WAF settings at cloudflare that only allow 2 counties to visit via the domain URL, so it's very puzzling to me.  I spent almost 400 euros on the omada setup and basic things like logging an IP are missing.  If I could see the IP then I could have solved this over a year ago, maybe it's coming from cloudflare and the router is misreporting it, but I don't want to take out a PHD in wireshark to find out, I paid 400 euros these features should be obligatory at this price range.

Sorry for the rant, but if I could go back 2 years knowing what I know now, I don't think I would consider the same purchases, and would not have gone down the omada path.