Huawei B818 Bridged Mode
-
@deanfourie bump
-
They are in your ARP table not the routing table.
163.47.0.1 is in both because it's the WAN gateway address.
163.47.1.1 and 163.47.2.1 appear to be IPs on the same device, using the same Huawei MAC, which I assume is the LTE router but could be something further upstream.
I have no idea why those IPs are on that devuce but since they're inside the WAN subnet it's expected that they would appear in the ARP table. Nothing there looks like a problem.
Steve
-
@stephenw10 Ok so I called my ISP yesterday and today. Their response is that these subnets or this IP range has nothing to do with them, and they believe this route is introduced by me and refuse to take any responsibility for it.
So now I'm sitting with a DYNAMIC route which pfSense sees as STATIC (S), to a university in Japan, and I cannot for the life of me work out how it got there.
Also to add, that this appears to be at Layer 2 as I also am seeing entries in my ARP table.
ISP claims it has nothing to do with them whatsoever.
-
@deanfourie Ill just put this here.
I now have NS1 and NS2 in my ARP table.
Some interesting images below. A traceroute still seems to go out via layer 3 and takes a few hops.
-
163.43.X.X is not inside the /16 you are being passed (163.47.0.0/16) so traffic to it will be routed as expected. You would not be able to reach any of the real addresses in that subnet though. I doubt your ISP actually has that entire /16. It could be the modem doing whatever shenanigans it has to to pass the WAN IP to you directly.
163.47.0.0/22 is assigned to that college in Japan but your traffic is not going via that. Something in the route is incorrectly using the IP.
https://bgpview.io/prefix/163.47.0.0/22Your ISP actually has at most 163.47.222.0/22: https://bgpview.io/prefix/163.47.220.0/22
You probably can't reach this site for example: https://www2.metro-cit.ac.jp/~ee/
Because that resolves to 163.47.1.2 and pfSense thinks that is local to it.
Steve
-
Is that MAC address actually the modem?
If the modem is not in bridged mode can you see what gateway and subnet the ISP are actually passing?
Steve
-
@stephenw10 But thats the thing, I can reach 163.47.0.1 and anything at the entire 163.47.0.0/16 subnet. Everything is reachable.
I have done port scans on that subnet and found open http ports with webservers running that I can browse.
Also, pfSense still resolves that's IP to the hostname as stated about to the .ac.jp.
I'm just confused and a little concerned as I'm sure you could imagine. This is a strange thing to see in your routing table and this is not what I would consider "normal".
I may not be routing my traffic through that subnet or IP, however I could be send DNS queries through that IP as its appearing in my ARP table aswell.
It doesnt make sense.
What I am also noticing is, as I have also stated in previous posts I can see network hosts continuously appearing and disappearing when doing network scans. (They show up in one scan, then they dont in another scan, and so on). Also in ntopng, clients randomly show as on a ghost network, and this continues to move around between hosts.
There is something fishy going on!
-
The port scans you showed before were against the wrong subnet so I'd be surprised if you can reach anything other then the 3 IPs that appear in the ARP table.
Is that MAC address the local modem?
If you take the modem out of bridge mode can you see the gateway and subnet mask the ISP is actually sending it?
You're right, something is incorrectly using those IPs when it doesn't own them. It's either the ISP or the modem. Traffic is not actually going via Japan though.
Steve
-
Ok, so im going to kick this old chestnut off again.
I now have more static routes in my routing table. One is 100.0.0.1 and appears to be a 100.0.0.0/8 network.
Now, if I ping ANY address in 100.x.x.x range, it creates a ARP entry for that address on my WAN interface (I have arpwatch installed and sends me a notification). The ARP table fills up so much so that it cannot be opened and times out.
Why would this be happening?
-
@deanfourie See attached.
-
If you have 100.0.0.0/8 as a local subnet then when you try to ping anything in it pfSense will try to ARP for it. It looks like something upstream is responding. Probably something configured for proxyarp.
Steve
-
Again, this is not a static route I have put there. And I have no local subnet on 100.0.0.0
This route and these ARP entries are on my WAN interface.
-
Right it's added by DHCP. It's in the routing table though. It's a local subnet to pfSense.
-
@stephenw10 but how can my ISP be giving me an entire layer 2 subnet at 100.0.0/8.
What if I need to visit a website at 100.60.4.1 for example?
-
You wouldn't be able to. It's a bad config. I have no idea why your ISP (or perhaps the modem) is passing that to you.
I seem to recall you said that doesn't happen at the modem when it's not in bridge mode?
That seems to imply the modem is somehow adding it.Steve
-
@stephenw10 well I can't say for certain if it is or is not doing it when not in bridge mode, as I cannot see the routing table, or the ARP table. I would imagine it does do it.
A bad config on my end or ISP?
-
Yes probably should be the CGNAT space, 100.64.0.0/10.
