Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is pfSense calling CZ?

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 5 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • provelsP
      provels
      last edited by

      @November said in Why is pfSense calling CZ?:

      87.236.194.23

      Could be this CZ IP was sold/leased to someone else, maybe an ad server or such. Perhaps innocuous or perhaps you have malware. What device is 192.168.1.100?

      Peder

      MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
      BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

      N 1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @November
        last edited by DaddyGo

        @November said in Why is pfSense calling CZ?:

        it sounds like I should start blocking all calls from 192.168.1.100

        this would be a very rough intervention ๐Ÿ˜‰
        detection, debugging (if any at all), it doesn't have to be this way

        what kind of device's IP address is 192.168.1.100

        if we find out what triggers requests from the device to CZ
        you can take action..

        +++edit:
        probably some application initiates requests to this hosting provider on an intermediate network (CDN, datacenter IP, etc.)
        this is not a real location, but it uses an https port

        BTW: the request does not reach because pfBlockerNG is working

        do you hate CZ? ๐Ÿ˜

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        N 1 Reply Last reply Reply Quote 0
        • N
          November @provels
          last edited by

          @provels "What device is 192.168.1.100?" is one of the root questions I'm trying to answer. Currently I'm turning off one or two devices at a time to try to track down which device it is. Any other suggestions?

          J provelsP 2 Replies Last reply Reply Quote 0
          • N
            November @DaddyGo
            last edited by

            @DaddyGo , I don't hate CZ but from what I've read and from my own experience working at a global Internet company, lots of hacking starts from that area.

            DaddyGoD 1 Reply Last reply Reply Quote 0
            • J
              jdeloach @November
              last edited by

              This post is deleted!
              pttP 1 Reply Last reply Reply Quote 0
              • pttP
                ptt Rebel Alliance @jdeloach
                last edited by

                @jdeloach said in Why is pfSense calling CZ?:

                IP address 192.168.1.100 is the common address of most cable modems. This has always been the IP address of all cable modems that I've had in the past.

                192.168.100.1 ;)

                N 1 Reply Last reply Reply Quote 1
                • provelsP
                  provels @November
                  last edited by provels

                  @November
                  Ping 192.168.1.100 then do and

                  arp -a
                  

                  to see what MAC address has 1.100 and track down the MAC.

                  PS C:\Users\Me> arp -a
                  
                  Interface: 192.168.0.20 --- 0x17
                    Internet Address      Physical Address      Type
                    192.168.0.1           00-15-5d-00-14-30     dynamic
                    192.168.0.12          00-15-5d-00-14-2c     dynamic
                    192.168.0.61          00-11-0a-54-23-14     dynamic
                    192.168.0.69          00-15-5d-00-14-4b     dynamic
                    192.168.0.71          fc-03-9f-f8-86-d8     dynamic
                    192.168.0.100         0c-41-3e-91-6e-60     dynamic
                    192.168.0.101         30-0d-43-26-00-e8     dynamic
                    192.168.0.106         00-15-5d-00-14-45     dynamic
                    192.168.0.108         00-1e-64-4d-d0-2e     dynamic
                    192.168.0.111         00-15-5d-00-14-2d     dynamic
                    192.168.0.150         30-52-cb-e7-50-71     dynamic
                    192.168.0.200         00-00-f0-a3-f3-33     dynamic
                    192.168.0.204         00-09-b0-e6-5c-b0     dynamic
                    192.168.0.255         ff-ff-ff-ff-ff-ff     static
                    224.0.0.22            01-00-5e-00-00-16     static
                    224.0.0.251           01-00-5e-00-00-fb     static
                    224.0.0.252           01-00-5e-00-00-fc     static
                    239.255.255.250       01-00-5e-7f-ff-fa     static
                  

                  Or try a

                  
                  ping -an
                  

                  and maybe it will resolve the device name.

                  PS C:\Users\Me> ping -an 192.168.0.150
                  
                  Pinging XPS13 [192.168.0.150] with 32 bytes of data:
                  Reply from 192.168.0.150: bytes=32 time=5ms TTL=128
                  Reply from 192.168.0.150: bytes=32 time=7ms TTL=128
                  Reply from 192.168.0.150: bytes=32 time=5ms TTL=128
                  Reply from 192.168.0.150: bytes=32 time=9ms TTL=128
                  

                  Peder

                  MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                  BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                  1 Reply Last reply Reply Quote 0
                  • N
                    November @ptt
                    last edited by

                    @ptt , it turns out that 192.168.1.100 is the WAN IP address that my router is using.

                    Thanks much, everyone!

                    The question now is why my router is calling out to CZ, UA, etc.

                    provelsP 1 Reply Last reply Reply Quote 0
                    • provelsP
                      provels @November
                      last edited by

                      @November
                      Well, there are router exploits. You may want to search for your model and exploits.

                      Peder

                      MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                      BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                      N 1 Reply Last reply Reply Quote 0
                      • N
                        November @provels
                        last edited by

                        @provels , that's definitely one of my concerns.

                        I was just made aware of https://atlas.ripe.net/landing/probes-and-anchors/. Whenever I've done a who.is on the target IP addresses, RIPE does come up. I'll try whitelisting them and seeing if that helps.

                        provelsP 1 Reply Last reply Reply Quote 0
                        • provelsP
                          provels @November
                          last edited by

                          @November
                          Maybe check here:
                          https://duckduckgo.com/?isource=infinity&iname=duckduckgo&itype=web&q=router+exploits+by+manufacturer&atb=v211-1&ia=web

                          Peder

                          MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                          BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                          1 Reply Last reply Reply Quote 0
                          • DaddyGoD
                            DaddyGo @November
                            last edited by

                            @November said in Why is pfSense calling CZ?:

                            lots of hacking starts from that area.

                            Interesting..

                            CZ country next to my place of birth, but I haven't heard of them yet such as harassment, hackers, etc., I worked as a computer scientist in Brno (city CZ) for a long time and it never arose.

                            I accept your position, if you feel that way

                            Cats bury it so they can't see it!
                            (You know what I mean if you have a cat)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.