ATV4 wants to connect to an "unknown" ip on TCP/7000

bingo600

I have an Apple TV 4K , that works fine. But i'm seeing a lot of connect requests to :

Oct 8 07:09:40 	MMEDIA_STREAMING_IGB2_VL30 	Deny any from this net to Local lans (RFC1918) (1582989127) 	10.xx.yy.107:54331		192.168.1.128:7000		TCP:S

192.168.1.128 is nowhere to be found in my network , 192.168.1.0/24 neither.
It is not in the pfsense routingable. It's always that ip addy, i see deny's for.

I do have avahi enabled and active on some of my vlans , but none have any 192.168.1.x ranges.

I don't see any avahi interface def for wan (would not have selected that anyway) , but could it be picking something up there ?

I have tried to see if i could find any avahi database in the pfSense gui but i can't find anything there.

Could anyone come with a few hints for persuing this ?
Where does the ATV4 get that ip from ??

I don't mind ssh ... for AVAHI debugging.
I have a feeling that it must be learned via mDNS.

I do have a "mini-dlna" server (linux) , but i have not specified anything that resembles 192.168.1.128.

TIA
Bingo

NogBadTheBad

@bingo600 said in ATV4 wants to connect to an "unknown" ip on TCP/7000:

192.168.1.128

192.168.1.128 won't be on the internet.

Your pfSense box isn't behind another router is it.

https://www.speedguide.net/port.php?port=7000

kiokoman

10.xx.yy.107:54331 192.168.1.128:7000 TCP:S

^^^^^^^^^^^^^^ you need to check this device, TCP:SYN, it's the one initiating the connection
who/what is 10.xx.yy.107 ? the apple tv? maybe some misconfigured program inside the apple tv?

NogBadTheBad

https://discussions.apple.com/thread/250472145

Airplay to a device on the local lan with an incorrect IP address I'm guessing.

bingo600

@NogBadTheBad
No the ATV4 is directly connected via a L2 Vlan to the pfsense , and te pfsense is directly connected to the @

bingo600

@kiokoman
Thats my ATV4 ip

bingo600

@NogBadTheBad

I won't disagree here.
But i have (AFAIK) , nothing announcing that ip or range.

That's why i would like to see what avahi (pfsense) has picked up.
But i can't seem to list the db on the pfsense, it just says client not running.

It's not super important , but annoying that spooky things happens on my net.

The ATV4 tries to connect to that ip , after a power off too.

/ingo

NogBadTheBad

@bingo600 said in ATV4 wants to connect to an "unknown" ip on TCP/7000:

The ATV4 tries to connect to that ip , after a power off too

Try an avahi-browse -r -a not sure if it's in the pfSense package.

You may see it, from my homebridge box:-

=   eth0 IPv6 70-35-60-63.1 Living Room Apple TV            _sleep-proxy._udp    local
   hostname = [Living-Room-Apple-TV.local]
   address = [172.16.4.12]
   port = [57806]
   txt = []

IsaacFL

@bingo600

I have seen this Apple traffic also. I use 10.0.0.0/24 subnets for my local network, but Apple devices (apple tvs, ipads, iphones) still send traffic to 192.168.0.0/16 port 7000. I finally made a rule to not log it.

bingo600

@NogBadTheBad said in ATV4 wants to connect to an "unknown" ip on TCP/7000:

avahi-browse -r -a

Avahi still gives client not running.

[2.4.5-RELEASE][admin@..]/root:  avahi-browse -r -a
Failed to create client object: Daemon not running

[2.4.5-RELEASE][admin@..]/root: ps aux | grep avahi
avahi   29428   0.0  0.0    7504    2836  -  I    Thu08        5:17.06 avahi-da
[2.4.5-RELEASE][admin@..]/root: 

bingo600

@IsaacFL
Thanx for that info , i might end up doing the same

/Bingo

NogBadTheBad

@bingo600 said in ATV4 wants to connect to an "unknown" ip on TCP/7000:

@NogBadTheBad said in ATV4 wants to connect to an "unknown" ip on TCP/7000:

avahi-browse -r -a

Avahi still gives client not running.

[2.4.5-RELEASE][admin@..]/root:  avahi-browse -r -a
Failed to create client object: Daemon not running

[2.4.5-RELEASE][admin@..]/root: ps aux | grep avahi
avahi   29428   0.0  0.0    7504    2836  -  I    Thu08        5:17.06 avahi-da
[2.4.5-RELEASE][admin@..]/root: 

So it looks like avahi-browse doesn’t get installed with the avahi pkg, i don’t have it installed and ran avahi-browse from a raspberry pi.

For the life of me I can’t see the Apple TV’s trying to Airplay to a device without it seeing a source via MDNS.

bingo600

@NogBadTheBad

I did install avahi-daemon + utils on my Deb-10 mini-dlna server on the same Vlan.

And used : avahi-browse -r -a -t -v

I see announcements from my ATV4 + my ATV3 + the pfSense
None of these announces anything in the 192.168.x.x range

Maybe IsacFL is right , apple does strange things in the 192.168.x.x range.
Could be that 192.168.1.x id the most used home lan-range out there

NogBadTheBad

Just added a block & log rule, lets see if I see anything.

Do you both have an ATV3, I just have 2 x ATV4s?

bingo600

@NogBadTheBad

That rule ought to catch "it" , if any traffic
I have an ATV4-4K + an old ATV3 (guest room).
The ATV3 is still fine for NetFlix , and i actually like the UI + Remote better than on the 4's.

/Bingo

IsaacFL

@NogBadTheBad said in ATV4 wants to connect to an "unknown" ip on TCP/7000:

Just added a block & log rule, lets see if I see anything.

Do you both have an ATV3, I just have 2 x ATV4s?

I have 2 of the Apple Tvs just prior to the 4K (so 1080P)

I noticed though that it is not just the AppleTVs. The iphones and and ipad are also talking back and forth using 192.168.x.x. You have to use something like WireShark to see it and it is not a lot of traffic.

If you google enough you will find others have seen this also, but since most common home net is using the 192.168, it goes unnoticed.

NogBadTheBad

@IsaacFL

I still haven’t seen any hits to a 192.168.0.0/16 address.

By “ I have 2 of the Apple Tvs just prior to the 4K (so 1080P)” do you mean you have 2 1080 non 4K Apple TV 4’s ?

bingo600

@NogBadTheBad

I just noticed this one "sigh" ...
https://www.reddit.com/r/HomeKit/comments/bk1ee9/home_app_tries_to_communicate_with_random_ip_on/

I live in an appartment , and have lot's of neighbours within BT range

Could be the culprit.

Edit:
As i have both an ATV3 (VPN to US) + an ATV4 in the livingroom , i had ATV3 remote control issues. The ATV4 was picking up the ATV3 remote IR signals.

I blocked the ATV4 IR sensor by covering the ATV4 left front with "Black tape", and now rely on the ATV4 to get the commands via BT (working fine).

That makes disabling BT on the ATV4, "not an option".

Well ... The "loveliness" of wireless , and "ease of use" before security

Edit2: Enabling "on same Lan" would prevent my iPhone/iPad on the "Phone Vlan" to Stream to my ATV4 on the "Mmedia Vlan" .

I guesst i should just learn to live with those TCP:7000 packet blocks.
/Bingo

bingo600

Now my ATV4 has "Fallen in love with 192.168.1.14 TCP:7000"

Well i have had it ...
Made a deny rule targeting ATV4 -> 192.168.1.0/24 (I dont have that range) , and disabled logging.

/Bingo