Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Unusual ip showing in the log
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unusual ip showing in the log (Read 349 times)
headbanger
Newbie
Posts: 14
Karma: 0
Unusual ip showing in the log
«
on:
October 21, 2024, 12:19:04 am »
This is kind of a shot in the dark but here goes, has anyone seen this kind of behavior? First let me describe my setup. From the isp modem I connect into the opnsense box wan interface, no surprize there. I am not using the LAN interface except for device admin. I have an interface named office that all computers and printers connect to. I have an interface named iot that all iot devices and phones connect to.The office interface has a static ip of 192.168.2.1. It connects to an Asus Zen Wifi Mesh router (this existed prior to building the opnsense router) which has a static ip of 192.168.1.1. Some computers connect via cable, others connect via WiFi. I see in the firewall log blocked connections coming into the office interface from the Asus router with a destination ip of 192.168.1.116:7788, protocol tcp. Since they are coming out of the router I cannot see the original source unless one of you can describe a way to do that. I see these packets coming from the router even when all devices connected to the router are turned off (unless there is somthing on the router I am not aware of - possible). Clearly 192.168.1.116 is not an internet ip so I have no idea why the router is sending it. Let me add that there is no device on the Asus router with an ip of 192.168.1.116. Any thoughts?
«
Last Edit: October 21, 2024, 12:23:45 am by headbanger
»
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: Unusual ip showing in the log
«
Reply #1 on:
October 21, 2024, 08:22:08 am »
Quote from: headbanger on October 21, 2024, 12:19:04 am
describe a way to do that.
Interfaces: Diagnostics: Packet Capture
Save the file and open it in Wireshark
Logged
headbanger
Newbie
Posts: 14
Karma: 0
Re: Unusual ip showing in the log
«
Reply #2 on:
October 21, 2024, 02:51:44 pm »
Thanks for getting back to me. I did think of packet capture but not wireshark. Unfortunatly when I try to download the captured data I get Unexpected Error Check Log for details. I don't know which log to check.
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: Unusual ip showing in the log
«
Reply #3 on:
October 21, 2024, 06:19:18 pm »
Can you capture any data at all? Maybe your capture file is too large. Is the anomaly predictable or random?
Logged
EricPerl
Jr. Member
Posts: 88
Karma: 2
Re: Unusual ip showing in the log
«
Reply #4 on:
October 21, 2024, 08:20:17 pm »
So the WAN side of the ASUS is 192.168.2.1/24, the LAN side is 192.168.1.1/24 and you're seeing traffic in OPNsense (connected to the WAN side of the ASUS) with IPs from the LAN side?
No port mirroring set up on the ASUS? Not sure it would even allow mirroring LAN to WAN...
Port 7788 appears to be associated with Steam or Unreal Tournament. Rings a bell?
Logged
headbanger
Newbie
Posts: 14
Karma: 0
Re: Unusual ip showing in the log
«
Reply #5 on:
October 21, 2024, 10:42:04 pm »
bartjsmit, Yes, I can capture packets, here is one packet:
ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 64, id 49801, offset 0, flags [DF], proto TCP (6), length 72)
192.168.2.102.59963 > 192.168.1.116.7788: Flags
, cksum 0xc5fd (correct), seq 4265057839, win 64240, options [mss 1460,sackOK,TS val 1998323531 ecr 0,nop,wscale 6,mptcp 12 join id 8 token 0x87a2e95e nonce 0x2173f5db], length 0
Attempt to downlod the package fails, unknown error
EricPerl, you have it correct. The LAN side of Asus is 192.168.1.1/24. The WAN side of Asus is connected to the Ofice interface of opnsense, 192.168.2.1/24. The DHCP ip assigned ip on the WAN side of Asus is 192.168.2.102, No port mirroring. Steam isinstalled on some computers but packets appear even when those computers are turned off, In fact they appear if all computers are turned off. I don't know what Unreal Tournament is so not that. Asus has stock firmware, no packet capture ability.
Sample of the logs I am seeing:
Office 2024-10-21T16:37:58-04:00 192.168.2.102:49825 192.168.1.116:7788 tcp Block everything else in office
Office 2024-10-21T16:37:57-04:00 192.168.2.102:51411 192.168.1.116:7788 tcp Block everything else in office
Office 2024-10-21T16:37:54-04:00 192.168.2.102:49513 192.168.1.116:7788 tcp Block everything else in office
Office 2024-10-21T16:37:28-04:00 192.168.2.102:40767 192.168.1.116:7788 tcp Block everything else in office
Logged
EricPerl
Jr. Member
Posts: 88
Karma: 2
Re: Unusual ip showing in the log
«
Reply #6 on:
October 22, 2024, 10:06:49 pm »
So it's clearly the router that's sending this packet on the WAN side.
You might want to go through your router's configuration. Bogus 1:1 NAT?
Logged
headbanger
Newbie
Posts: 14
Karma: 0
Re: Unusual ip showing in the log
«
Reply #7 on:
October 22, 2024, 11:12:30 pm »
Further investigation has revelaed that 192.168.1.116 is the ip address of one of the mesh nodes. I see this as a bug in the Asus firmware. These packets shouldn't be going out to the WAN. Thanks everyone for all your help.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Unusual ip showing in the log