Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Huawei B818 Bridged Mode

    Scheduled Pinned Locked Moved General pfSense Questions
    51 Posts 2 Posters 9.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deanfourie @deanfourie
      last edited by

      @deanfourie bump

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        They are in your ARP table not the routing table.

        163.47.0.1 is in both because it's the WAN gateway address.

        163.47.1.1 and 163.47.2.1 appear to be IPs on the same device, using the same Huawei MAC, which I assume is the LTE router but could be something further upstream.

        I have no idea why those IPs are on that devuce but since they're inside the WAN subnet it's expected that they would appear in the ARP table. Nothing there looks like a problem.

        Steve

        D 1 Reply Last reply Reply Quote 0
        • D
          deanfourie @stephenw10
          last edited by deanfourie

          @stephenw10 Ok so I called my ISP yesterday and today. Their response is that these subnets or this IP range has nothing to do with them, and they believe this route is introduced by me and refuse to take any responsibility for it.

          So now I'm sitting with a DYNAMIC route which pfSense sees as STATIC (S), to a university in Japan, and I cannot for the life of me work out how it got there.

          Also to add, that this appears to be at Layer 2 as I also am seeing entries in my ARP table.

          ISP claims it has nothing to do with them whatsoever.

          D 1 Reply Last reply Reply Quote 0
          • D
            deanfourie @deanfourie
            last edited by deanfourie

            @deanfourie Ill just put this here.

            I now have NS1 and NS2 in my ARP table.

            Some interesting images below. A traceroute still seems to go out via layer 3 and takes a few hops.

            arp.PNG

            routes.PNG

            nmap scan.PNG

            web.PNG

            web2.PNG

            tracert.PNG

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              163.43.X.X is not inside the /16 you are being passed (163.47.0.0/16) so traffic to it will be routed as expected. You would not be able to reach any of the real addresses in that subnet though. I doubt your ISP actually has that entire /16. It could be the modem doing whatever shenanigans it has to to pass the WAN IP to you directly.

              163.47.0.0/22 is assigned to that college in Japan but your traffic is not going via that. Something in the route is incorrectly using the IP.
              https://bgpview.io/prefix/163.47.0.0/22

              Your ISP actually has at most 163.47.222.0/22: https://bgpview.io/prefix/163.47.220.0/22

              You probably can't reach this site for example: https://www2.metro-cit.ac.jp/~ee/

              Because that resolves to 163.47.1.2 and pfSense thinks that is local to it.

              Steve

              D 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Is that MAC address actually the modem?

                If the modem is not in bridged mode can you see what gateway and subnet the ISP are actually passing?

                Steve

                1 Reply Last reply Reply Quote 0
                • D
                  deanfourie @stephenw10
                  last edited by

                  @stephenw10 But thats the thing, I can reach 163.47.0.1 and anything at the entire 163.47.0.0/16 subnet. Everything is reachable.

                  I have done port scans on that subnet and found open http ports with webservers running that I can browse.

                  Also, pfSense still resolves that's IP to the hostname as stated about to the .ac.jp.

                  I'm just confused and a little concerned as I'm sure you could imagine. This is a strange thing to see in your routing table and this is not what I would consider "normal".

                  I may not be routing my traffic through that subnet or IP, however I could be send DNS queries through that IP as its appearing in my ARP table aswell.

                  It doesnt make sense.

                  What I am also noticing is, as I have also stated in previous posts I can see network hosts continuously appearing and disappearing when doing network scans. (They show up in one scan, then they dont in another scan, and so on). Also in ntopng, clients randomly show as on a ghost network, and this continues to move around between hosts.

                  There is something fishy going on!

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    The port scans you showed before were against the wrong subnet so I'd be surprised if you can reach anything other then the 3 IPs that appear in the ARP table.

                    Is that MAC address the local modem?

                    If you take the modem out of bridge mode can you see the gateway and subnet mask the ISP is actually sending it?

                    You're right, something is incorrectly using those IPs when it doesn't own them. It's either the ISP or the modem. Traffic is not actually going via Japan though.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • D
                      deanfourie
                      last edited by

                      Ok, so im going to kick this old chestnut off again.

                      I now have more static routes in my routing table. One is 100.0.0.1 and appears to be a 100.0.0.0/8 network.

                      Now, if I ping ANY address in 100.x.x.x range, it creates a ARP entry for that address on my WAN interface (I have arpwatch installed and sends me a notification). The ARP table fills up so much so that it cannot be opened and times out.

                      Why would this be happening?

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        deanfourie @deanfourie
                        last edited by

                        @deanfourie See attached.

                        Screenshot from 2022-04-30 09-28-56.png

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          If you have 100.0.0.0/8 as a local subnet then when you try to ping anything in it pfSense will try to ARP for it. It looks like something upstream is responding. Probably something configured for proxyarp.

                          Steve

                          D 1 Reply Last reply Reply Quote 0
                          • D
                            deanfourie @stephenw10
                            last edited by

                            @stephenw10

                            Again, this is not a static route I have put there. And I have no local subnet on 100.0.0.0

                            This route and these ARP entries are on my WAN interface.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Right it's added by DHCP. It's in the routing table though. It's a local subnet to pfSense.

                              D 1 Reply Last reply Reply Quote 0
                              • D
                                deanfourie @stephenw10
                                last edited by

                                @stephenw10 but how can my ISP be giving me an entire layer 2 subnet at 100.0.0/8.

                                What if I need to visit a website at 100.60.4.1 for example?

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  You wouldn't be able to. It's a bad config. I have no idea why your ISP (or perhaps the modem) is passing that to you.
                                  I seem to recall you said that doesn't happen at the modem when it's not in bridge mode?
                                  That seems to imply the modem is somehow adding it.

                                  Steve

                                  D 1 Reply Last reply Reply Quote 0
                                  • D
                                    deanfourie @stephenw10
                                    last edited by

                                    @stephenw10 well I can't say for certain if it is or is not doing it when not in bridge mode, as I cannot see the routing table, or the ARP table. I would imagine it does do it.

                                    A bad config on my end or ISP?

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Yes probably should be the CGNAT space, 100.64.0.0/10.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.