Computers & Hardware > Networking

Strange device in logs, should I be worried?

(1/2) > >>

johnson:
So I was aimlessly looking through logs on my router recently and found a device in the ARP table that should not be there, would be interested to hear other peoples opinion on it.

I have a fairly basic network with an x86 machine running openWRT as the router, a bridge mode VMG1312 or 8324 as a modem and an old TP-link router as a WAP. The modem is connected to the router via a single cable and has the address 192.168.2.1, the router is 192.168.1.1 and all the other lan and wireless clients are on this subnet. In order to access stats on the modem I have a “modem-management” interface defined in openWRT on the same physical port as the modem connects to with the IP 192.168.2.2 and this incantation given to iptables to allow access:


--- Code: ---iptables -t nat -I POSTROUTING ! -s 192.168.1.1 -d 192.168.2.1 -j SNAT --to 192.168.2.2

--- End code ---

This interface must then be added to the LAN firewall group for devices to be able to talk to the modem.

I had concerns about adding an interface on the same physical port as the WAN connection to the LAN firewall group but with my limited knowledge of networking assumed that it didnt matter as the PPPoE connection from the modem is dealt with separately by the router than the 192.168.2.x IP packets.

Looking at the ARP table on the router the other day showed a device with IP 192.168.2.12 and a MAC address beginning with 28:8A:1C. No devices other than the interface on the router or the modem should be in the 192.168.2.x subnet. No devices on the 192.168.1.x subnet are in that low range either. That MAC address is for a Juniper device, I own no Juniper equipment.

Any idea what this is? I guess spoofing the MAC of a manufacturer of ISP grade hardware would be something an intruder would do?

I rebooted the router and waited a few hours and the strange device did not reappear. Have now removed the modem-management interface and the iptables command… am I being paranoid?

d2d4j:
Hi Johnson

Do you/have you used vpn at all during that time

It’s just a thought as if I understand correctly, your thinking intrusion from outside world either by wan or lan

Many thanks

John

johnson:
Thanks for the reply. No, I have not used a VPN service or run a VPN server in the time that this ARP table existed.

I feel like I must be being paranoid, but I just cant fathom how such an entry would appear.

j0hn:
I wouldn't worry about it in the slightest.

Did you lookup the mac address?
It appears to be Juniper kit... if that jogs some memory.

burakkucat:
I'll throw an idea "up into the air" and see if someone catches it or how it lands . . .

Could the Juniper device, found mentioned in the ARP table, be the ISP/CP device to which your PPP session is connected?  :-\ 

Puzzled.  ???

Navigation

[0] Message Index

[#] Next page