Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN to Non LAN Private Network

    Scheduled Pinned Locked Moved General pfSense Questions
    30 Posts 7 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      firewalluser
      last edited by

      @NOYB:

      @mer
      re: packet capture; Just SYN packet.  Not very interesting.
      re: All or just one Windows clients; All
      re: Address change recently; No recent address changes.  Even happens on a recently installed machine.

      @jahonix
      re: sure about that?; Yes.  Look into firewall float rules.
      re: pfSense blocks ingress, not egress; On the interface rules yes, float rules can be configured for egress.

      @firewalluser
      At least one of the machines is new fresh install.  So no history of devices at those addresses.
      Packet capture is just TCP SYN.

      @All
      Hadn't seen any since late last night. Fired up Skype (desktop version 7.8.0.102) and about 10 minutes later their it is again.  Coincidence or cause?

      Check the installation of agreement of skype.

      Any information you pass over the skype network allows MS to investigate.

      I stopped using it 4/5 years ago when Bing started probing one of my webservers trying to access a URL which is only known to me for an app I was developing and the person I gave that info to in a Skype chat.

      Have you ever mentioned the ip addresses 192.168.1.6  and 192.168.1.8 in a skype call or skype chat linked to the account you are using, that you can recall?

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • N Offline
        NOYB
        last edited by

        @firewalluser:

        Have you ever mentioned the ip addresses 192.168.1.6  and 192.168.1.8 in a skype call or skype chat linked to the account you are using, that you can recall?

        Only after the fact.

        1 Reply Last reply Reply Quote 0
        • jahonixJ Offline
          jahonix
          last edited by

          @firewalluser:

          …when Bing started probing one of my webservers trying to access a URL ...

          No it's not Bing. It's an NSA proxy.
          German magazine Heise had a lengthy article about it.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Well if you can not tell anything from the sniff of what it is.. Then look on the machine for what application/service/dll is generating the traffic.  Those are clearly not standard ports for services.

            Simple netstat -anb should help you find the PID of the program trying to make the TCP connection.  The udp might be harder to catch.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • N Offline
              NOYB
              last edited by

              @jahonix:

              @firewalluser:

              …when Bing started probing one of my webservers trying to access a URL ...

              No it's not Bing. It's an NSA proxy.
              German magazine Heise had a lengthy article about it.

              Aren't they all, Facebook, Twitter, Google, Yahoo, Bing, Windows, Skype, routers, disk drives, "smart" phones, etc, 3 letter agency proxies.  Get people to freely hand over personal information and there is then no need for a search warrant.  And even worse, no oversight.

              1 Reply Last reply Reply Quote 0
              • N Offline
                NOYB
                last edited by

                @johnpoz:

                Well if you can not tell anything from the sniff of what it is.. Then look on the machine for what application/service/dll is generating the traffic.  Those are clearly not standard ports for services.

                Simple netstat -anb should help you find the PID of the program trying to make the TCP connection.  The udp might be harder to catch.

                I'll give that a try.

                So far it seems to have a timing correlation with Skype activity.  Just sent a Skype to a friend and poof there it was again after nothing since last night.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Packet capture on the inbound/LAN interface should yield a MAC address.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • N Offline
                    NOYB
                    last edited by

                    @Derelict:

                    Packet capture on the inbound/LAN interface should yield a MAC address.

                    Already know the local machines that are involved.  Have a LAN firewall log and pass rule for private networks that are not LAN network.  Then the float WAN out rule blocks.

                    1 Reply Last reply Reply Quote 0
                    • F Offline
                      firewalluser
                      last edited by

                      UEFI bios? Bios virus have been around for a long time before UEFI and considering things like this, maybe flashing your bios on the machines in question might stop the behaviour?
                      http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

                      I'm assuming you've ruled out dos root kits loading before windows?

                      An interesting read which your economic well being amongst other things could depend on, if you want an idea of how innovative some of the thought processes can be. I'm sure some will see the links as nice propagation.
                      NSA Journal of Information Warfare 2015
                      https://cryptome.org/2015/08/nsa-jiw-2015.pdf
                      NSA Journal of Information Warfare 2014
                      https://cryptome.org/2015/08/nsa-jiw-2014.pdf

                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                      Asch Conformity, mainly the blind leading the blind.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        seems odd that skype would send to those IPs..  Is that something that is resolving to those IPs.. I would flush the local cache on the machine, then doing a sniff on your pfsense with no limit on the packets (defaults to 100) and fire up your skype if you think that is what is kicking off the traffic - does it query for any names that resolve to those IPs for some strange reason?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • N Offline
                          NOYB
                          last edited by

                          Just did some more Skype with friend.  And bang.  There it is.

                          Did the net stat and Skype is using that port 38808 but to my friends WAN address.
                          TCP    192.168.2.21:52077    50.43.x.x:38808    ESTABLISHED
                          [Skype.exe]

                          However there is a machine on my friends LAN with 192.168.1.8.

                          Hmmm.  What is Skype trying to accomplish?

                          1 Reply Last reply Reply Quote 0
                          • F Offline
                            firewalluser
                            last edited by

                            Hook this into skype http://www.rohitab.com/apimonitor and see what api's it's using.

                            I wonder if advapi.dll is used or something else buried deep in the bowels of the OS which could suggest a new method of hiding functionality.

                            Of course it could just be a bug which might turn out to be exploitable. Have you tried sending a simple text file between each other? I wonder if your machine HD FAT gets lifted as its quick and easy to lift that as its not particular big in relation to bigger files, omitting standard file locations of course from the FAT to further reduce what gets lifted.

                            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                            Asch Conformity, mainly the blind leading the blind.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              is the machine your friend on 192.168.1.8 or .6 for its private IP?  Or you saying its some other machine on his network and his machine is say 192.168.1.14

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • N Offline
                                NOYB
                                last edited by

                                Yes friend could be using either of those.  The connection attempt seems to correspond to when I send a message rather than when receiving.

                                Firewall log timestamps correspond with Skype timestamps of my sent messages.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  seems like a bug in skype that it would try sending to a rfc1918 address when its connected to other end via a public IP..  Be it you block it or not - it sure is not going to work ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • F Offline
                                    firewalluser
                                    last edited by

                                    @NOYB:

                                    Yes friend could be using either of those.  The connection attempt seems to correspond to when I send a message rather than when receiving.

                                    Firewall log timestamps correspond with Skype timestamps of my sent messages.

                                    What happens when your friend changes their ip address, do you see a change in the ip address at your end?

                                    And did you say it occurred after the skype call as well, or just during a skype call/chat?

                                    Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                    Asch Conformity, mainly the blind leading the blind.

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD Offline
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      This sounds to me like Skype might be checking to see if the private addresses can communicate locally.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • N Offline
                                        NOYB
                                        last edited by

                                        What is being seen currently is during a Skype session; when sending a message.

                                        I with Derelict though.  Although that could potentially break if there was a local Skype client that happened to be listening on that same IP and port combination.  Very unlikely.  But still, seems to be of poor design.  Not good form in my opinion to do stuff like that and go around what the users have established.

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD Offline
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          I would think there is some crypto involved using keys that have been agreed upon over the Skype channels first, but with the Skype "malware" who knows.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • F Offline
                                            firewalluser
                                            last edited by

                                            @Derelict:

                                            This sounds to me like Skype might be checking to see if the private addresses can communicate locally.

                                            Only one way to find out and thats to test the scenario, maybe even testing on different subnets behind the same gateway might be interesting.

                                            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                            Asch Conformity, mainly the blind leading the blind.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.