Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange connections to 1701, 4500 and 500, 2408 ports

    Firewalling
    2
    3
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deanfourie
      last edited by deanfourie

      So, I noticed something strange and ran a capture and this is the result. I am also seeing ARP requests for this IP address which is not even on my subnet.

      I see a lot of traffic being generated to a IP

      162.159.192.4 to ports 1701, 4500, 2408 and 500.

      Any idea what this could be? As it is certainly not traffic I am generating.

      The address at 172.16.101.12 is my Laptop, running Ubuntu 22.04.

      Attached is the capture.

      Thanks!

      packetcapture-igb1-20230808094132.pcap

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @deanfourie
        last edited by johnpoz

        @deanfourie well clearly it is traffic your generating - your client is the source of the of the traffic.. That is a clouldflare IP.

        2408 is their old railgun product port.. Not real clear on how it actually works, it is being deprecated though.. 4500 is ESP, and 500 is ISAKMP..

        But all those are coming from your 172.16.101.12 IP..

        Those arps are not from your laptop, but most likely your router? 172.16.101.1 is asking about that IP.. from a sophos device.

        You doing anything with WARP from cloudflare?

        https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-udp-ports

        WARP UDP ports

        WARP utilizes UDP for all of its communications. By default, the UDP port required for WARP is UDP 2408. WARP can fallback to UDP 500, UDP 1701, or UDP 4500.

        Before you log in to your Zero Trust organization, you may see the IPv4 range 162.159.192.0/24. This IP is used for consumer WARP services (1.1.1.1 w/ WARP) and is not required for Zero Trust deployments.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        D 1 Reply Last reply Reply Quote 0
        • D
          deanfourie @johnpoz
          last edited by

          @johnpoz Yea sorry just after I posted this I figured out it was WARP haha.

          WARP was being blocked and obviously falling back to use IPsec etc.

          I opened 2408 and away she goes, problem solved. Also, I've not had to open 2408 before because usually I am using WARP with zero trust, however this is not supported on Linux so now it is using 2408 which is new, hence the confusion.

          Sorry my bad.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.