Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Strange device in logs, should I be worried?  (Read 802 times)

johnson

  • Reg Member
  • ***
  • Posts: 642
Strange device in logs, should I be worried?
« on: January 13, 2019, 10:58:29 AM »

So I was aimlessly looking through logs on my router recently and found a device in the ARP table that should not be there, would be interested to hear other peoples opinion on it.

I have a fairly basic network with an x86 machine running openWRT as the router, a bridge mode VMG1312 or 8324 as a modem and an old TP-link router as a WAP. The modem is connected to the router via a single cable and has the address 192.168.2.1, the router is 192.168.1.1 and all the other lan and wireless clients are on this subnet. In order to access stats on the modem I have a “modem-management” interface defined in openWRT on the same physical port as the modem connects to with the IP 192.168.2.2 and this incantation given to iptables to allow access:

Code: [Select]
iptables -t nat -I POSTROUTING ! -s 192.168.1.1 -d 192.168.2.1 -j SNAT --to 192.168.2.2

This interface must then be added to the LAN firewall group for devices to be able to talk to the modem.

I had concerns about adding an interface on the same physical port as the WAN connection to the LAN firewall group but with my limited knowledge of networking assumed that it didnt matter as the PPPoE connection from the modem is dealt with separately by the router than the 192.168.2.x IP packets.

Looking at the ARP table on the router the other day showed a device with IP 192.168.2.12 and a MAC address beginning with 28:8A:1C. No devices other than the interface on the router or the modem should be in the 192.168.2.x subnet. No devices on the 192.168.1.x subnet are in that low range either. That MAC address is for a Juniper device, I own no Juniper equipment.

Any idea what this is? I guess spoofing the MAC of a manufacturer of ISP grade hardware would be something an intruder would do?

I rebooted the router and waited a few hours and the strange device did not reappear. Have now removed the modem-management interface and the iptables command… am I being paranoid?
Logged

d2d4j

  • Reg Member
  • ***
  • Posts: 846
Re: Strange device in logs, should I be worried?
« Reply #1 on: January 13, 2019, 11:42:46 AM »

Hi Johnson

Do you/have you used vpn at all during that time

It’s just a thought as if I understand correctly, your thinking intrusion from outside world either by wan or lan

Many thanks

John
Logged

johnson

  • Reg Member
  • ***
  • Posts: 642
Re: Strange device in logs, should I be worried?
« Reply #2 on: January 13, 2019, 12:15:23 PM »

Thanks for the reply. No, I have not used a VPN service or run a VPN server in the time that this ARP table existed.

I feel like I must be being paranoid, but I just cant fathom how such an entry would appear.
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 2424
Re: Strange device in logs, should I be worried?
« Reply #3 on: January 13, 2019, 12:18:43 PM »

I wouldn't worry about it in the slightest.

Did you lookup the mac address?
It appears to be Juniper kit... if that jogs some memory.
Logged
Plusnet FTTC 80/20 -  ECI now Huawei cab
retx low @ 3dB target SNRM
Zyxel VMG1312-B10A bridged with 1508 MTU + Asus RT-AC68U running Asuswrt-Merlin

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 26376
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Strange device in logs, should I be worried?
« Reply #4 on: January 13, 2019, 04:17:11 PM »

I'll throw an idea "up into the air" and see if someone catches it or how it lands . . .

Could the Juniper device, found mentioned in the ARP table, be the ISP/CP device to which your PPP session is connected?  :-\ 

Puzzled.  ???
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

d2d4j

  • Reg Member
  • ***
  • Posts: 846
Re: Strange device in logs, should I be worried?
« Reply #5 on: January 13, 2019, 04:55:31 PM »

Hi bcat

I thought that first when first reading post, but excluded the thought as it would not I think be assigned 192.168.2.12 IP address

Many thanks and sorry if I am wrong

John
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 4015
Re: Strange device in logs, should I be worried?
« Reply #6 on: January 13, 2019, 05:26:05 PM »

There’s been times over the years that I have found a device I could not identify.   Invariably, it has turned out to be harmless, just something I’d overlooked.

One thing that has helped to jog my memory is to blacklist the suspect Mac address, and see what stops working.   

Beware that, by that tactic it can take some time, days or more, to notice that something is not working.   Which has then led myself on a merry dance working out why it is not working, having forgotten I’d blacklisted the Mac. :D
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 26376
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Strange device in logs, should I be worried?
« Reply #7 on: January 13, 2019, 08:22:55 PM »

. . .  excluded the thought as it would not I think be assigned 192.168.2.12 IP address

Ah, yes. Very true. Thanks for giving it some consideration, John.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

d2d4j

  • Reg Member
  • ***
  • Posts: 846
Re: Strange device in logs, should I be worried?
« Reply #8 on: January 13, 2019, 09:20:29 PM »

Hi

If there is a guest Wi-Fi, perhaps it attached to that

It’s just a thought but an external test to prove if router is eternally accessible might be prudent however, unless you forged/spoofed your external ip or told your own software used to use your pc ip, it would show external IP address. Therefore it is expected that to have an internal range assigned, you would be connecting from the lan side which is why I asked over vpn and then thought of a guest Wi-Fi

Sorry if I’m wrong as I do not know those routers

Did the dhcp list show the mac/ip

Many thanks

John
Logged

DiggerOfHoles

  • Member
  • **
  • Posts: 64
Re: Strange device in logs, should I be worried?
« Reply #9 on: May 08, 2019, 08:56:09 AM »

In spain I look after a telefonica fiber router 192.168.1.254 cabled to a netgear nighthalk?? router 192.168.1.33 wan side.

Netgear controlling DNS DHCP and Wireless 192.168.20.1.

All computers tv radio etc are assigned a .20.x ip.

So from a computer with ip 192.168.20.101 I type 192.168.1.254 and I'm in the telefonica fiber router.

.20.x netgear has only some static routes to 8.8.8.8 . No firewall rules persay.

Apart from the odd double nat issue this setup woks fine.

I believe it works because the connection to the 'modem' is initiated behind firewall .20.x so by default is sent out over the wan.

This out connection is noted by the firewall so as to a allow the modem to reply. No non standard rules required.



As for your mystery object is it a device on the backhaul? With an ip address in a private range?

If your subnet mask on .2.x is misconfigured this can act like a large net, as in fishing, of subnets, possibly capturing and succeeding in assigning it an IP addressof  .2x?

Not quite correct language but I hope you get my drift?
« Last Edit: May 08, 2019, 10:53:13 AM by DiggerOfHoles »
Logged