What's generating this traffic?

Started by elektroinside, February 19, 2018, 07:40:42 PM

Previous topic - Next topic
I don't even use these subnets.
Does anybody else have these or it is just one of my LAN clients?
These events are generated because of custom block rules (Firehol Level 1), and there are a few of them, 1-2/sec.

Basically, on my WAN interface (RDS in the snapshot), something is constantly trying to send data to an unknown 192.168.1.1 on port 3394. I don't have either of them (192.168.1.0/24 or services listening on 3394). Is there something hardcoded in OPNsense?
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

Perhaps it is on the subnet of your ISP modem? Many still offer a web interface even in bridged mode.

Bart...

Quote from: bartjsmit on February 19, 2018, 07:43:08 PM
Perhaps it is on the subnet of your ISP modem? Many still offer a web interface even in bridged mode.

Bart...

Might be... Right last time when I have spoken with my ISP (same ISP, RDS) they explained that they use SNMP for logs/ management of their devices. (We were arguing about something, and the argument brought the remote management matter.)

But that would mean that piece of s**t GPON has its own internal IP (which, btw, I cannot access at all if in bridge mode, or I don't know how). And if so, what the heck is it doing in my LAN ???
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

Try to log on wan interface if you see traffic from other IPs in the same class as your WAN IP.
If you see such traffic then your provider have other customers with unsecured/bad configured network, on the same improper configured switch ( or it is just a dumb switch).
The good thing for you it is that maybe you can hide your traffic using other customers IP on that switch, the bad thing is that others can do the same using your IP.

Quote from: bartjsmit on February 19, 2018, 07:43:08 PM
Perhaps it is on the subnet of your ISP modem? Many still offer a web interface even in bridged mode.

Bart...

Mine does, I use it to get the dsl stats and upload them to a monitoring system. It means I can login and change the modem settings if I need to. It's not ISP supplied though. :)
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member