OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: StP on April 11, 2018, 04:57:55 pm
-
I just found an unknown IP (192.168.0.45) in our network. It replies to a ping and looking at the reply with Wireshark the answer originates from the LAN interface of our OPNsense firewall. We never used 192.168.x.x here at the company, so I'm quite sure I did not configure it somewhere. And looking through the firewall's config I don't find any place where this is set.
Clueless here, anyone with an idea?
Stefan
Edit (fabian): Mark as solved
-
Have a look at the OPNsense ARP Table to see whether it's connected locally (and to what interface). If so, the MAC address might give you a clue about the vendor. If not, do a traceroute.
-
Hm, tracert looks strange to me.
C:\>tracert 192.168.0.45
Routenverfolgung zu 192.168.0.45 über maximal 30 Hops
1 <1 ms <1 ms <1 ms 172.16.30.1
2 18 ms 18 ms 17 ms 217.5.98.15
3 18 ms 20 ms 18 ms 192.168.0.45
172.16.30.1 is the Firewall's LAN interface.
217.5.98.15 is an external IP address assigned to my internet provider.
The firewall's WAN IP is 217.86.xxx.xxx
So the question is: Why is a ping to a local network address sent over WAN?
Stefan
-
Any chance it's your ISP modem web interface?
-
I can reproduce this (ping / traceroute). It's some system on Deutsche Telekom's network, but I don't know what it does.
Tracing route to 192.168.0.45 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 172.20.55.75
2 14 ms 16 ms 14 ms 217.5.98.15
3 14 ms 13 ms 14 ms 192.168.0.45
Trace complete.
You said you noticed traffic to / from this address in your LAN. I would do a packet capture and look what it is.
So the question is: Why is a ping to a local network address sent over WAN?
Everything is sent over the default route unless it's covered by a more specific route. So if you don't use 192.168.0.0/24 in your LANs then the router's only choice is to send it over the WAN.
Any chance it's your ISP modem web interface?
No it's not. It is on the ISP's side, behind the default gateway (217.5.98.15). Also the round-trip time is much to long for a local device.
-
Maurice,
I always thought private networks (RFC 1918) should never be routed to public networks (which my WAN is).
I'm I wrong?
I did not see traffic to/from this address. I just did a IP scan on my local network using netscan.exe by SoftPerfect.
Stefan
-
You could file a ticket with your ISP on that as it sounds like it's a mistake on their side and something that probably shouldn't be there.
-
You could file a ticket with your ISP on that as it sounds like it's a mistake on their side and something that probably shouldn't be there.
I just did that - they have no idea what is happening...
Maurice, are you a customer of Deutsche Telekom?
If not, how come you were able to reproduce?
BTW:
Right now 192.168.0.48 is not existing but 192.168.0.45 is.
Weird
-
I always thought private networks (RFC 1918) should never be routed to public networks (which my WAN is).
I'm I wrong?
You're right, they shouldn't, but it's up to the individual routers and firewalls to prevent that. Technically, RFC 1918 addresses are not "special". They're just reserved for private use by definition. OPNsense by default creates a firewall rule which blocks packets from private IPv4 addresses on the WAN interface ("Block private networks" setting). Check if that's enabled. However, this will not prevent packets going out to RFC 1918 addresses over the WAN. To prevent that, you might want to create an additional (floating) firewall rule.
I did not see traffic to/from this address. I just did a IP scan on my local network using netscan.exe by SoftPerfect.
Then I wouldn't worry. :)
-
Maurice, are you a customer of Deutsche Telekom?
If not, how come you were you able to reproduce?
Not a customer myself, but I have access to a Deutsche Telekom DSL line. You mentioned 217.5.98.15 (which is owned by DT) so I tested from the DT line. You're right that it wouldn't be possible to reproduce this from another ISP.
-
I have now set up a rule to block that traffic. Works.
Thanks!
-
This is what Nmap says:
nmap -T4 -A -v 192.168.0.45
Result (excerpt):
646/tcp open tcpwrapped
Device type: specialized
Running: AVtech embedded
OS details: AVtech Room Alert 26W environmental monitor
Network Distance: 3 hops
Seems it is definitely somewhere outside our company. We never used such a device.
-
Problem solved by my ISP.
Thanks everyone
-
Did they tell you what kind of system it was? I guess they were happy you didn't "investigate" further... ;)