[SOLVED] Mysterious IP address

StP · April 11, 2018, 04:57:55 PM

I just found an unknown IP (192.168.0.45) in our network. It replies to a ping and looking at the reply with Wireshark the answer originates from the LAN interface of our OPNsense firewall. We never used 192.168.x.x here at the company, so I'm quite sure I did not configure it somewhere. And looking through the firewall's config I don't find any place where this is set.

Clueless here, anyone with an idea?

Stefan

Edit (fabian): Mark as solved

Maurice · April 11, 2018, 05:22:50 PM

Have a look at the OPNsense ARP Table to see whether it's connected locally (and to what interface). If so, the MAC address might give you a clue about the vendor. If not, do a traceroute.

StP · April 12, 2018, 09:20:15 AM

Hm, tracert looks strange to me.

C:\>tracert 192.168.0.45
Routenverfolgung zu 192.168.0.45 über maximal 30 Hops
1 <1 ms <1 ms <1 ms 172.16.30.1
2 18 ms 18 ms 17 ms 217.5.98.15
3 18 ms 20 ms 18 ms 192.168.0.45

172.16.30.1 is the Firewall's LAN interface.
217.5.98.15 is an external IP address assigned to my internet provider.
The firewall's WAN IP is 217.86.xxx.xxx

So the question is: Why is a ping to a local network address sent over WAN?

Stefan

bartjsmit · April 12, 2018, 01:54:52 PM

Any chance it's your ISP modem web interface?

Maurice · April 12, 2018, 02:09:05 PM

I can reproduce this (ping / traceroute). It's some system on Deutsche Telekom's network, but I don't know what it does.

Code Select


Tracing route to 192.168.0.45 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  172.20.55.75
  2    14 ms    16 ms    14 ms  217.5.98.15
  3    14 ms    13 ms    14 ms  192.168.0.45

Trace complete.

You said you noticed traffic to / from this address in your LAN. I would do a packet capture and look what it is.

Quote from: StP on April 12, 2018, 09:20:15 AM
So the question is: Why is a ping to a local network address sent over WAN?

Everything is sent over the default route unless it's covered by a more specific route. So if you don't use 192.168.0.0/24 in your LANs then the router's only choice is to send it over the WAN.

Quote from: bartjsmit on April 12, 2018, 01:54:52 PM
Any chance it's your ISP modem web interface?

No it's not. It is on the ISP's side, behind the default gateway (217.5.98.15). Also the round-trip time is much to long for a local device.

StP · April 12, 2018, 02:51:10 PM

Maurice,
I always thought private networks (RFC 1918) should never be routed to public networks (which my WAN is).
I'm I wrong?

I did not see traffic to/from this address. I just did a IP scan on my local network using netscan.exe by SoftPerfect.

Stefan

guest15389 · April 12, 2018, 03:10:02 PM

You could file a ticket with your ISP on that as it sounds like it's a mistake on their side and something that probably shouldn't be there.

StP · April 12, 2018, 03:54:30 PM

Quote from: Animosity022 on April 12, 2018, 03:10:02 PM
You could file a ticket with your ISP on that as it sounds like it's a mistake on their side and something that probably shouldn't be there.

I just did that - they have no idea what is happening...

Maurice, are you a customer of Deutsche Telekom?
If not, how come you were able to reproduce?

BTW:
Right now 192.168.0.48 is not existing but 192.168.0.45 is.
Weird

Maurice · April 12, 2018, 03:56:27 PM

Quote from: StP on April 12, 2018, 02:51:10 PM
I always thought private networks (RFC 1918) should never be routed to public networks (which my WAN is).
I'm I wrong?

You're right, they shouldn't, but it's up to the individual routers and firewalls to prevent that. Technically, RFC 1918 addresses are not "special". They're just reserved for private use by definition. OPNsense by default creates a firewall rule which blocks packets from private IPv4 addresses on the WAN interface ("Block private networks" setting). Check if that's enabled. However, this will not prevent packets going out to RFC 1918 addresses over the WAN. To prevent that, you might want to create an additional (floating) firewall rule.

Quote from: StP on April 12, 2018, 02:51:10 PM
I did not see traffic to/from this address. I just did a IP scan on my local network using netscan.exe by SoftPerfect.

Then I wouldn't worry. :)

Maurice · April 12, 2018, 04:03:52 PM

Quote from: StP on April 12, 2018, 03:54:30 PM
Maurice, are you a customer of Deutsche Telekom?
If not, how come you were you able to reproduce?

Not a customer myself, but I have access to a Deutsche Telekom DSL line. You mentioned 217.5.98.15 (which is owned by DT) so I tested from the DT line. You're right that it wouldn't be possible to reproduce this from another ISP.

StP · April 12, 2018, 04:58:49 PM

I have now set up a rule to block that traffic. Works.

Thanks!

StP · April 12, 2018, 05:12:56 PM

This is what Nmap says:
nmap -T4 -A -v 192.168.0.45

Result (excerpt):
646/tcp open tcpwrapped
Device type: specialized
Running: AVtech embedded
OS details: AVtech Room Alert 26W environmental monitor
Network Distance: 3 hops

Seems it is definitely somewhere outside our company. We never used such a device.

StP · April 16, 2018, 08:53:29 AM

Problem solved by my ISP.

Thanks everyone

Maurice · April 16, 2018, 03:06:30 PM

Did they tell you what kind of system it was? I guess they were happy you didn't "investigate" further... ;)

[SOLVED] Mysterious IP address

StP

April 11, 2018, 04:57:55 PM Last Edit: April 16, 2018, 06:30:35 PM by fabian

Maurice

April 11, 2018, 05:22:50 PM #1

StP

April 12, 2018, 09:20:15 AM #2

bartjsmit

April 12, 2018, 01:54:52 PM #3

Maurice

April 12, 2018, 02:09:05 PM #4 Last Edit: April 12, 2018, 02:11:12 PM by Maurice

StP

April 12, 2018, 02:51:10 PM #5 Last Edit: April 12, 2018, 02:54:17 PM by StP

guest15389

April 12, 2018, 03:10:02 PM #6

StP

April 12, 2018, 03:54:30 PM #7 Last Edit: April 12, 2018, 03:58:03 PM by StP

Maurice

April 12, 2018, 03:56:27 PM #8

Maurice

April 12, 2018, 04:03:52 PM #9

StP

April 12, 2018, 04:58:49 PM #10

StP

April 12, 2018, 05:12:56 PM #11

StP

April 16, 2018, 08:53:29 AM #12

Maurice

April 16, 2018, 03:06:30 PM #13