Block private networks - something from cable-modem is blocked, but what is it?

JKnott

@johnpoz said in Block private networks - something from cable-modem is blocked, but what is it?:

Yes its possible to see rfc1918 inside your ISP network.. Not really good setup - but sure your ISP can do that..

There's no technical reason why not, so long as they don't let it escape. I have seen the 10.x.x.x block used in the past with my ISP, though not lately. Also, one of the reasons Comcast was moving to IPv6 is they were running out of rfc1918 addresses to use for internal networks and management. One advantage is it makes it harder for someone to attach their network. It also conserves public addresses for customers to use.

johnpoz

Yeah "technically" you can do it - doesn't mean its "good" idea ;)

If you don't have enough IPv4 for your ROUTING devices, that route traffic to and from the public internet - you prob shouldn't be in the ISP business ;) hehehee

JKnott

@johnpoz

An ISP has more than just routing to worry about. I have a cable modem, which has an address, I used to have a separate telephone terminal and 3 TV boxes. They were all, at least initially, using IPv4, so that's 5 separate device addresses, before even getting to my own public address. I doubt I was the only customer with only 1 device. As of last week, I have a new IPTV system, where the phone and Internet are in one box and the 3 TVs are on my network behind pfsense, but now everything uses IPv6.

johnpoz

They can give your TV an rfc1918 IPv4 address.. or a CGnat address. Not talking about the other shit devices on their network or their customers devices. I'm talking about their routers inline with routing traffic from their customers to the public internet..

If they are so tight on public IPv4 space.. Saving the small amount of IPv4 while they give their customer a public seems pointless.

I could see if your on CGnat already - then sure as you route through the isp network, all of those IPs might be non public.. But nothing sucks more than seeing public, and then rfc1918, then public again when tracing trying to figure out what is going on ;)

Technically you can do it sure - but not good idea.. Could see it as a idea to make a few bucks I guess.. Some guy said hey we can stop using this /X public space we are using on our internal routers and sell those IPs to the customer at $X an ip per month ;) Hope he got a good bonus for doing that ;)

bmeeks

@Bob-Dig: do you have either Snort or Suricata installed on your box with an instance configured on your WAN interface? If so, the default setup of both of those packages will enable promiscuous mode on the NIC.

Still, the traffic is curious if the other non-RFC1918 address is your assigned WAN IP.

JKnott

@johnpoz said in Block private networks - something from cable-modem is blocked, but what is it?:

They can give your TV an rfc1918 IPv4 address.. or a CGnat address.

I don't know what addresses they used on the cable side of those devices, as it wasn't visible to me. However, the TVs all have a GUA IPv6 address within my prefix. I don't recall them ever using NAT for customers on the cable network, though it was used on the cell network. These days, they use 464XLAT to provide IPv4 on an IPv6 only network. My ISP is one that has provided IPv6 for years, initially with 6to4 and 6rd tunnels, but about 5 years native.

Bob.Dig

@bmeeks said in Block private networks - something from cable-modem is blocked, but what is it?:

@Bob-Dig: do you have either Snort or Suricata installed on your box with an instance configured on your WAN interface?

Have Suricata installed but not running on WAN.

johnpoz

My comment about rfc1918 in the trace was to his comment that his friend with a public IPv4 address not cgnat address seeing rfc1918 in traceroute.

While yes you can see that - it not all that common.. Other than maybe in small ma and pop type isps in my opinion.. Worked for major ISP/MSP for 10+ years.. All public facing devices have public IPs on them.. We use rfc1918 internally..

Customers would notice I would think if when tracing to stuff we host in the DC for them from the public if when they enter the DC they saw rfc1918 before their IP ;)

Bob.Dig

@johnpoz

my ISP to google.de

 1  * * *
 2  172.17.128.30 (172.17.128.30)  7.073 ms  9.381 ms  5.628 ms
 3  192.168.230.64 (192.168.230.64)  7.865 ms  10.381 ms  8.171 ms
 4  172.17.77.44 (172.17.77.44)  7.353 ms  9.464 ms  7.554 ms
 5  cable-62-117-4-10.cust.telecolumbus.net (62.117.4.10)  8.846 ms  15.413 ms  9.344 ms
 6  google.bcix.de (193.178.185.100)  22.072 ms  30.275 ms  23.219 ms
 7  108.170.241.173 (108.170.241.173)  25.980 ms
    108.170.241.204 (108.170.241.204)  23.059 ms
    108.170.241.140 (108.170.241.140)  25.443 ms
 8  209.85.255.214 (209.85.255.214)  25.016 ms
    209.85.254.157 (209.85.254.157)  22.981 ms *
 9  108.170.234.11 (108.170.234.11)  28.215 ms
    209.85.244.159 (209.85.244.159)  29.941 ms  30.650 ms
10  108.170.236.248 (108.170.236.248)  28.514 ms  24.873 ms  28.758 ms
11  108.170.251.129 (108.170.251.129)  27.836 ms
    108.170.252.1 (108.170.252.1)  30.410 ms
    108.170.251.129 (108.170.251.129)  29.376 ms
12  66.249.94.245 (66.249.94.245)  29.435 ms
    66.249.95.169 (66.249.95.169)  29.522 ms  28.633 ms
13  zrh04s06-in-f131.1e100.net (172.217.16.131)  27.943 ms  28.008 ms  28.338 ms

my neighbors ISP to google.de

 1  192.168.178.1 (192.168.178.1)  39.613 ms  2.098 ms  2.508 ms
 2  192.0.0.1 (192.0.0.1)  7.509 ms  7.649 ms  8.196 ms
 3  62.214.39.49 (62.214.39.49)  11.928 ms  7.572 ms  7.818 ms
 4  62.214.37.158 (62.214.37.158)  13.972 ms
    62.214.37.134 (62.214.37.134)  25.504 ms
    62.214.37.158 (62.214.37.158)  14.496 ms
 5  72.14.222.28 (72.14.222.28)  14.041 ms  15.752 ms
    89.246.109.250 (89.246.109.250)  27.607 ms
 6  108.170.253.68 (108.170.253.68)  15.083 ms
    108.170.253.50 (108.170.253.50)  16.507 ms
    108.170.253.34 (108.170.253.34)  15.434 ms
 7  66.249.95.169 (66.249.95.169)  18.556 ms
    108.170.226.49 (108.170.226.49)  15.644 ms  15.429 ms
 8  172.253.50.100 (172.253.50.100)  19.143 ms
    zrh04s06-in-f131.1e100.net (172.217.16.131)  27.156 ms
    172.253.50.100 (172.253.50.100)  18.900 ms

Oops, 192.0.0.1 is not RFC 1918 (192.168.178.1 is my neighbors local LAN) so I was wrong.

bmeeks

@johnpoz said in Block private networks - something from cable-modem is blocked, but what is it?:

Technically you can do it sure - but not good idea.. Could see it as a idea to make a few bucks I guess.. Some guy said hey we can stop using this /X public space we are using on our internal routers and sell those IPs to the customer at $X an ip per month ;) Hope he got a good bonus for doing that ;)

Nah...he probably got a coffee mug with the company logo on it, and if he was really lucky, a $20 gift card for Amazon or Lowes ... . But both of those would show up at the end of the year on his W2 as taxable income . The executive in marketing who took the idea and implemented it got a 6-figure annual bonus, though.

Can you tell I worked in the Fortune 500 world for too long?

johnpoz

Hehe.... Yeah that is true... One of my colleagues got an IPad as a gift at a company function.. Gift my ass it showed up on his W2 ;)

So couple years ago.. They were asking for ideas for quick influx of cash.. Talking to my boss, I said you know we are only using a small fraction of our /16 public space.. With no plans of that changing anytime soon.. So we sold off a small portion for $250K.. Well the so called benefit of any sales you do your suppose to get 10%... Well that 250K is pure bottom line profit, I ended up getting $5k.. And I had to do all the work in the movement of the IPs, etc. Guess should of just kept my mouth shut ;)

Then they wanted to sell off more.. This time I asked my boss - so will I get the full 10% this time? He was going to make sure I was taken care of - ended up getting 0... arrgghh.. Not like he got anything either... And I got a great attaboy in the company newsletter though ;) I don't blame him I sure he tried.. But yeah corp world can suck!

Worked on a recent project, completely outside my responsibilities.. Helping them ramp up a customers vpn from 500 concurrent users to 10K concurrent users start of covid.. That went online in less than 2 weeks.. So freaking lightening fast for corp world and all the change control, etc. etc.. .. I got a $100 amazon gift card for that ;) hehehe

johnpoz

@Bob-Dig said in Block private networks - something from cable-modem is blocked, but what is it?:

192.0.0.1 (192.0.0.1) 7.509 ms 7.649 ms 8.196 ms

Oh they are prob using DS-Lite with that address.. That common address when doing ds-lite for transition and use of IPv4 over a IPv6 backbone..

Here is normal where your ISP not doing any sort of nat, not using rfc1918 or cgnat, and not doing anything weird with IPv6 as their backbone with IPv6 being tunneled in it, etc.

Tracing route to google.de [172.217.8.195]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  sg4860.local.lan [192.168.9.253]
  2    12 ms    10 ms    11 ms  d4-50-1-135.col.wideopenwest.com [50.4.135.1]
  3    14 ms     9 ms    18 ms  static-76-73-191-106.knology.net [76.73.191.106]

You can see the first hop to my ISP is public ;)

With those first hop times from your neighbor - take that was one over wireless? 39 ms.. Ugghh

And my isp is nothing huge wowway has less than a million subscribers from the info I can gather.

Bob.Dig

@johnpoz ds-lite is pretty common around here (Germany) and yes, an old AP connecting through thick walls.

So I blocked RFC1918 outgoing on WAN and since that I don't see any incoming RFC1918 blocks on WAN ether. So it was pfSense... I guess

johnpoz

Why would pfsense have any reason to talk to your modem on port 80?? No it wouldn't do that that.. A client behind sure..

Bob.Dig

@johnpoz So I will do more logging on all LANs to find out where this comes from. I made a "matching" floating Rule on all those interfaces, hope it will work.

johnpoz

But still what doesn't make any sense is not seeing syn in your sniff.. If it went through pfsense, or even from pfsense you would see the syn..

Bob.Dig

@johnpoz Was the second packet sniff in my life, I don't know stuff.
What if this was a biproduct of my "box" being in bridgemode. I guess pfSense has to talk to that device somehow for dhcp and IPv6 other stuff anyway, not carrying what blocking rules I create... or not, again, I don't know stuff.

johnpoz

@Bob-Dig said in Block private networks - something from cable-modem is blocked, but what is it?:

a4:ca:58

Dude that is the mac of your modem from log on your modem, the last 3 numbers... But in your sniff shows a4:ca:46.. Did you change modems? Do you have a different modem?

Since you don't see the syn, its possible that traffic is just noise from your ISP network. Some other users modem???

Is your modem a Arris brand even?

edit: None of that stuff would be to port 80 (http).. That sniff was syn,ack from 80 to source port - it is answer to a syn.. But looks like you didn't see the syn coming from or through your pfsense.. So it could be just some weird noise.. And the mac on the modem in your sniff doesn't even match what your saying your modem is showing in its logs. So why the syn,ack would be sent to your IP is very strange.. Someone with the same IP as you on the ISP network maybe.

Bob.Dig

@johnpoz Dude, no I didn't change the modem. It is from a company called compal, as far as I know. It is branded by the ISP.

Spoiler

🔒 Log in to view

johnpoz

Then I don't think that has anything to do with your pfsense or your modem at all - and just random noise on your shitty isp network ;) The mac is not the mac of your modem from your modems log or your status page.. It might be 1 off liek 5f and 5e sort of thing on the ethernet interface.. And its not even the correct brand - the mac of the showing in your sniff form 100.1 is a Arris brand modem..

yeah its just NOISE on your isp network - and has nothing to do with your modem or your pfsense... Other than some device tried to send a syn,ack back to your IP.. That would explain why you not seeing the syn.