I just found an unknown IP (192.168.0.45) in our network. It replies to a ping and looking at the reply with Wireshark the answer originates from the LAN interface of our OPNsense firewall. We never used 192.168.x.x here at the company, so I'm quite sure I did not configure it somewhere. And looking through the firewall's config I don't find any place where this is set.
Clueless here, anyone with an idea?
Stefan
Edit (fabian): Mark as solved
Have a look at the OPNsense ARP Table to see whether it's connected locally (and to what interface). If so, the MAC address might give you a clue about the vendor. If not, do a traceroute.
Hm, tracert looks strange to me.
C:\>tracert 192.168.0.45
Routenverfolgung zu 192.168.0.45 über maximal 30 Hops
1 <1 ms <1 ms <1 ms 172.16.30.1
2 18 ms 18 ms 17 ms 217.5.98.15
3 18 ms 20 ms 18 ms 192.168.0.45
172.16.30.1 is the Firewall's LAN interface.
217.5.98.15 is an external IP address assigned to my internet provider.
The firewall's WAN IP is 217.86.xxx.xxx
So the question is: Why is a ping to a local network address sent over WAN?
Stefan
Any chance it's your ISP modem web interface?
I can reproduce this (ping / traceroute). It's some system on Deutsche Telekom's network, but I don't know what it does.
Tracing route to 192.168.0.45 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 172.20.55.75
2 14 ms 16 ms 14 ms 217.5.98.15
3 14 ms 13 ms 14 ms 192.168.0.45
Trace complete.
You said you noticed traffic to / from this address in your LAN. I would do a packet capture and look what it is.
Quote from: StP on April 12, 2018, 09:20:15 AM
So the question is: Why is a ping to a local network address sent over WAN?
Everything is sent over the default route unless it's covered by a more specific route. So if you don't use 192.168.0.0/24 in your LANs then the router's only choice is to send it over the WAN.
Quote from: bartjsmit on April 12, 2018, 01:54:52 PM
Any chance it's your ISP modem web interface?
No it's not. It is on the ISP's side, behind the default gateway (217.5.98.15). Also the round-trip time is much to long for a local device.
Maurice,
I always thought private networks (RFC 1918) should never be routed to public networks (which my WAN is).
I'm I wrong?
I did not see traffic to/from this address. I just did a IP scan on my local network using netscan.exe by SoftPerfect.
Stefan
You could file a ticket with your ISP on that as it sounds like it's a mistake on their side and something that probably shouldn't be there.
Quote from: Animosity022 on April 12, 2018, 03:10:02 PM
You could file a ticket with your ISP on that as it sounds like it's a mistake on their side and something that probably shouldn't be there.
I just did that - they have no idea what is happening...
Maurice, are you a customer of Deutsche Telekom?
If not, how come you were able to reproduce?
BTW:
Right now 192.168.0.48 is not existing but 192.168.0.45 is.
Weird
Quote from: StP on April 12, 2018, 02:51:10 PM
I always thought private networks (RFC 1918) should never be routed to public networks (which my WAN is).
I'm I wrong?
You're right, they shouldn't, but it's up to the individual routers and firewalls to prevent that. Technically, RFC 1918 addresses are not "special". They're just reserved for private use by definition. OPNsense by default creates a firewall rule which blocks packets
from private IPv4 addresses on the WAN interface ("Block private networks" setting). Check if that's enabled. However, this will not prevent packets going out
to RFC 1918 addresses over the WAN. To prevent that, you might want to create an additional (floating) firewall rule.
Quote from: StP on April 12, 2018, 02:51:10 PM
I did not see traffic to/from this address. I just did a IP scan on my local network using netscan.exe by SoftPerfect.
Then I wouldn't worry. :)
Quote from: StP on April 12, 2018, 03:54:30 PM
Maurice, are you a customer of Deutsche Telekom?
If not, how come you were you able to reproduce?
Not a customer myself, but I have access to a Deutsche Telekom DSL line. You mentioned 217.5.98.15 (which is owned by DT) so I tested from the DT line. You're right that it wouldn't be possible to reproduce this from another ISP.
I have now set up a rule to block that traffic. Works.
Thanks!
This is what Nmap says:
nmap -T4 -A -v 192.168.0.45
Result (excerpt):
646/tcp open tcpwrapped
Device type: specialized
Running: AVtech embedded
OS details: AVtech Room Alert 26W environmental monitor
Network Distance: 3 hops
Seems it is definitely somewhere outside our company. We never used such a device.
Problem solved by my ISP.
Thanks everyone
Did they tell you what kind of system it was? I guess they were happy you didn't "investigate" further... ;)