OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: StP on April 11, 2018, 04:57:55 pm

Title: [SOLVED] Mysterious IP address
Post by: StP on April 11, 2018, 04:57:55 pm: I just found an unknown IP (192.168.0.45) in our network. It replies to a ping and looking at the reply with Wireshark the answer originates from the LAN interface of our OPNsense firewall. We never used 192.168.x.x here at the company, so I'm quite sure I did not configure it somewhere. And looking through the firewall's config I don't find any place where this is set.

Clueless here, anyone with an idea?

Stefan

Edit (fabian): Mark as solved
Title: Re: Mysterious IP address
Post by: Maurice on April 11, 2018, 05:22:50 pm: Have a look at the OPNsense ARP Table to see whether it's connected locally (and to what interface). If so, the MAC address might give you a clue about the vendor. If not, do a traceroute.
Title: Re: Mysterious IP address
Post by: StP on April 12, 2018, 09:20:15 am: Hm, tracert looks strange to me.

C:\>tracert 192.168.0.45
Routenverfolgung zu 192.168.0.45 über maximal 30 Hops
1 <1 ms <1 ms <1 ms 172.16.30.1
2 18 ms 18 ms 17 ms 217.5.98.15
3 18 ms 20 ms 18 ms 192.168.0.45

172.16.30.1 is the Firewall's LAN interface.
217.5.98.15 is an external IP address assigned to my internet provider.
The firewall's WAN IP is 217.86.xxx.xxx

So the question is: Why is a ping to a local network address sent over WAN?

Stefan
Title: Re: Mysterious IP address
Post by: bartjsmit on April 12, 2018, 01:54:52 pm: Any chance it's your ISP modem web interface?
Title: Re: Mysterious IP address
Post by: Maurice on April 12, 2018, 02:09:05 pm: I can reproduce this (ping / traceroute). It's some system on Deutsche Telekom's network, but I don't know what it does.

Code: [Select]
Tracing route to 192.168.0.45 over a maximum of 30 hops 1 1 ms <1 ms <1 ms 172.20.55.75 2 14 ms 16 ms 14 ms 217.5.98.15 3 14 ms 13 ms 14 ms 192.168.0.45 Trace complete.
You said you noticed traffic to / from this address in your LAN. I would do a packet capture and look what it is.

Quote from: StP on April 12, 2018, 09:20:15 am
So the question is: Why is a ping to a local network address sent over WAN?

Everything is sent over the default route unless it's covered by a more specific route. So if you don't use 192.168.0.0/24 in your LANs then the router's only choice is to send it over the WAN.

Quote from: bartjsmit on April 12, 2018, 01:54:52 pm
Any chance it's your ISP modem web interface?

No it's not. It is on the ISP's side, behind the default gateway (217.5.98.15). Also the round-trip time is much to long for a local device.
Title: Re: Mysterious IP address
Post by: StP on April 12, 2018, 02:51:10 pm: Maurice,
I always thought private networks (RFC 1918) should never be routed to public networks (which my WAN is).
I'm I wrong?

I did not see traffic to/from this address. I just did a IP scan on my local network using netscan.exe by SoftPerfect.

Stefan
Title: Re: Mysterious IP address
Post by: guest15389 on April 12, 2018, 03:10:02 pm: You could file a ticket with your ISP on that as it sounds like it's a mistake on their side and something that probably shouldn't be there.
Title: Re: Mysterious IP address
Post by: StP on April 12, 2018, 03:54:30 pm: Quote from: Animosity022 on April 12, 2018, 03:10:02 pm
You could file a ticket with your ISP on that as it sounds like it's a mistake on their side and something that probably shouldn't be there.

I just did that - they have no idea what is happening...

Maurice, are you a customer of Deutsche Telekom?
If not, how come you were able to reproduce?

BTW:
Right now 192.168.0.48 is not existing but 192.168.0.45 is.
Weird
Title: Re: Mysterious IP address
Post by: Maurice on April 12, 2018, 03:56:27 pm: Quote from: StP on April 12, 2018, 02:51:10 pm
I always thought private networks (RFC 1918) should never be routed to public networks (which my WAN is).
I'm I wrong?

You're right, they shouldn't, but it's up to the individual routers and firewalls to prevent that. Technically, RFC 1918 addresses are not "special". They're just reserved for private use by definition. OPNsense by default creates a firewall rule which blocks packets from private IPv4 addresses on the WAN interface ("Block private networks" setting). Check if that's enabled. However, this will not prevent packets going out to RFC 1918 addresses over the WAN. To prevent that, you might want to create an additional (floating) firewall rule.

Quote from: StP on April 12, 2018, 02:51:10 pm
I did not see traffic to/from this address. I just did a IP scan on my local network using netscan.exe by SoftPerfect.

Then I wouldn't worry. :)
Title: Re: Mysterious IP address
Post by: Maurice on April 12, 2018, 04:03:52 pm: Quote from: StP on April 12, 2018, 03:54:30 pm
Maurice, are you a customer of Deutsche Telekom?
If not, how come you were you able to reproduce?

Not a customer myself, but I have access to a Deutsche Telekom DSL line. You mentioned 217.5.98.15 (which is owned by DT) so I tested from the DT line. You're right that it wouldn't be possible to reproduce this from another ISP.
Title: Re: Mysterious IP address
Post by: StP on April 12, 2018, 04:58:49 pm: I have now set up a rule to block that traffic. Works.

Thanks!
Title: Re: Mysterious IP address
Post by: StP on April 12, 2018, 05:12:56 pm: This is what Nmap says:
nmap -T4 -A -v 192.168.0.45

Result (excerpt):
646/tcp open tcpwrapped
Device type: specialized
Running: AVtech embedded
OS details: AVtech Room Alert 26W environmental monitor
Network Distance: 3 hops

Seems it is definitely somewhere outside our company. We never used such a device.
Title: Re: Mysterious IP address
Post by: StP on April 16, 2018, 08:53:29 am: Problem solved by my ISP.

Thanks everyone
Title: Re: Mysterious IP address
Post by: Maurice on April 16, 2018, 03:06:30 pm: Did they tell you what kind of system it was? I guess they were happy you didn't "investigate" further... ;)