Block private networks - something from cable-modem is blocked, but what is it?
-
@johnpoz said in Block private networks - something from cable-modem is blocked, but what is it?:
Technically you can do it sure - but not good idea.. Could see it as a idea to make a few bucks I guess.. Some guy said hey we can stop using this /X public space we are using on our internal routers and sell those IPs to the customer at $X an ip per month ;) Hope he got a good bonus for doing that ;)
Nah...he probably got a coffee mug with the company logo on it, and if he was really lucky, a $20 gift card for Amazon or Lowes ...
. But both of those would show up at the end of the year on his W2 as taxable income 
. The executive in marketing who took the idea and implemented it got a 6-figure annual bonus, though.Can you tell I worked in the Fortune 500 world for too long?
-
Hehe.... Yeah that is true... One of my colleagues got an IPad as a gift at a company function.. Gift my ass it showed up on his W2 ;)
So couple years ago.. They were asking for ideas for quick influx of cash.. Talking to my boss, I said you know we are only using a small fraction of our /16 public space.. With no plans of that changing anytime soon.. So we sold off a small portion for $250K.. Well the so called benefit of any sales you do your suppose to get 10%... Well that 250K is pure bottom line profit, I ended up getting $5k.. And I had to do all the work in the movement of the IPs, etc. Guess should of just kept my mouth shut ;)
Then they wanted to sell off more.. This time I asked my boss - so will I get the full 10% this time? He was going to make sure I was taken care of - ended up getting 0... arrgghh.. Not like he got anything either... And I got a great attaboy in the company newsletter though ;) I don't blame him I sure he tried.. But yeah corp world can suck!
Worked on a recent project, completely outside my responsibilities.. Helping them ramp up a customers vpn from 500 concurrent users to 10K concurrent users start of covid.. That went online in less than 2 weeks.. So freaking lightening fast for corp world and all the change control, etc. etc.. .. I got a $100 amazon gift card for that ;) hehehe
-
@Bob-Dig said in Block private networks - something from cable-modem is blocked, but what is it?:
192.0.0.1 (192.0.0.1) 7.509 ms 7.649 ms 8.196 ms
Oh they are prob using DS-Lite with that address.. That common address when doing ds-lite for transition and use of IPv4 over a IPv6 backbone..
Here is normal where your ISP not doing any sort of nat, not using rfc1918 or cgnat, and not doing anything weird with IPv6 as their backbone with IPv6 being tunneled in it, etc.
Tracing route to google.de [172.217.8.195] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms sg4860.local.lan [192.168.9.253] 2 12 ms 10 ms 11 ms d4-50-1-135.col.wideopenwest.com [50.4.135.1] 3 14 ms 9 ms 18 ms static-76-73-191-106.knology.net [76.73.191.106]You can see the first hop to my ISP is public ;)
With those first hop times from your neighbor - take that was one over wireless? 39 ms.. Ugghh
And my isp is nothing huge wowway has less than a million subscribers from the info I can gather.
-
@johnpoz ds-lite is pretty common around here (Germany) and yes, an old AP connecting through thick walls.
So I blocked RFC1918 outgoing on WAN and since that I don't see any incoming RFC1918 blocks on WAN ether. So it was pfSense... I guess
-
Why would pfsense have any reason to talk to your modem on port 80?? No it wouldn't do that that.. A client behind sure..
-
@johnpoz So I will do more logging on all LANs to find out where this comes from. I made a "matching" floating Rule on all those interfaces, hope it will work.
-
But still what doesn't make any sense is not seeing syn in your sniff.. If it went through pfsense, or even from pfsense you would see the syn..
-
@johnpoz Was the second packet sniff in my life, I don't know stuff.
What if this was a biproduct of my "box" being in bridgemode. I guess pfSense has to talk to that device somehow for dhcp and IPv6 other stuff anyway, not carrying what blocking rules I create... or not, again, I don't know stuff. -
@Bob-Dig said in Block private networks - something from cable-modem is blocked, but what is it?:
a4:ca:58
Dude that is the mac of your modem from log on your modem, the last 3 numbers... But in your sniff shows a4:ca:46.. Did you change modems? Do you have a different modem?
Since you don't see the syn, its possible that traffic is just noise from your ISP network. Some other users modem???
Is your modem a Arris brand even?
edit: None of that stuff would be to port 80 (http).. That sniff was syn,ack from 80 to source port - it is answer to a syn.. But looks like you didn't see the syn coming from or through your pfsense.. So it could be just some weird noise.. And the mac on the modem in your sniff doesn't even match what your saying your modem is showing in its logs. So why the syn,ack would be sent to your IP is very strange.. Someone with the same IP as you on the ISP network maybe.
-
@johnpoz Dude, no I didn't change the modem. It is from a company called compal, as far as I know. It is branded by the ISP.
-
Then I don't think that has anything to do with your pfsense or your modem at all - and just random noise on your shitty isp network ;) The mac is not the mac of your modem from your modems log or your status page.. It might be 1 off liek 5f and 5e sort of thing on the ethernet interface.. And its not even the correct brand - the mac of the showing in your sniff form 100.1 is a Arris brand modem..
yeah its just NOISE on your isp network - and has nothing to do with your modem or your pfsense... Other than some device tried to send a syn,ack back to your IP.. That would explain why you not seeing the syn.
-
@johnpoz I think aris is used on the other side, whatever this is called.
-
Like I was saying before blocking rfc1918 produces noise in your logs ;) hehehe.. Even if you had those ports forwarded on pfsense - such traffic would not match any states so a syn,ack wouldn't go anywhere..
That is another place you could look - look in your state table do you see any states to 192.168.100.1?
If the syn would of come through your pfsense, or from something behind pfsense - you would of seen that in the sniff.. Modems don't just randomly send syn,acks from 80 to random ports ;) Somewhere in your ISP network some device with that mac and IP 192.168.100.1 which is a arris branded mac.. Saw a syn from something saying its IP was yours.. Somehow that got sent to your pfsense wan.. through your isp network.
Guess it could be some sort of attack or worm or something? Just randomly seeing if it could match up with some state table somewhere?? Not an attack of have ever heard of..
-
@johnpoz said in [Block private networks - something from
That is another place you could look - look in your state table do you see any states to 192.168.100.1?
I looked and it isn't in there.
But also this happened randomly and hours between in the first place, so I guess your explanation is the right one. Good night, mate.
-
It is odd for sure ;) thanks for bringing it up - always fun to look at odd shit ;)
