Company Laptop showing IP address from another country

My brother has a work laptop, we are based in the UK, when he connects to the internet it shows an IP address from Nigeria !

This happens at home, I’m using an isolated vlan, it basically goes straight out the ISP, no pfblocker, no traffic shaping etc. The laptop is windows 10, most things are locked down. If I connect a machine to the same vlan, I get a UK IP address as expected.

When he goes into the office, he gets a UK IP address. The company gave another laptop with a new image deployed, but with the same result.

Any thoughts of how to investigate this, given I can’t modify anything on the laptop ?

is that an issue with your ISP? maybe I don’t understand the ‘isolated’ vlan.

At home: UK based ISP – pfsense – you

At work: UK based ISP – corporate fw – your brother

My brother is working from home (my home), connects to the internet via pfsense, on an islolated vlan (that is that vlan cannot see anything else on the network, goes straight out via the ISP). At this point the Nigerian IP comes up, he then initiates his work VPN to connect to his work network. Over the work VPN he still has a Nigerian IP address.

I doubt it’s the ISP (I did contact them just to see if they could see anything unusual, they saw nothing), as I can’t replicate this with another (linux) PC, I am reluctant to connect the work laptop to any other vlan on my network as you can imagine. I’m guessing the work infrastructure is compromised, hence the image to build the laptop is compromised.

I did a fresh install of pfSense 2.7 this morning just to rule out the router, and the same thing happened so it’s not the router.

let’s say your network is 10.0.0.0/24, the isolated vlan is 10 and another vlan is 20

brother (works from home) – 10.0.10.1 (isolated vlan) – vpn – work
(does the openVPN server at work provide a tunnel which is mistakenly tagged as nigerian ip?)

you at home – 10.0.20.1 (normal vlan) – internet
(all is well, no nigerian ip)

Is this the setup?

It’s not uncommon that public IPs are labeled incorrectly with the country they are from. I would assume that there is only one common public IP on your firewall/router so all systems would be using the same IP.

Does your brother’s work use a web proxy with an agent on the device? (Eg netskope) Have you tried checking the IP while using a mobile hotspot or another internet connection outside his work network?

@pavlos That’s basically it.

Bother’s setup more like:
Isolated vlan → ISP → company VPN
At the ISP stage he already has the Nigerian IP, then initiates the work VPN.

vlan_20 is correct, I have not connected my brothers laptop to this vlan but all other machines show expected IP wan address.

I’ve introduced another scenario, I’ve created another isolated vlan, vlan_30 but this exits via my AIR vpn gateway (on pfsense) not my ISP. In this case the work laptop picks up the expected IP address.

@FredFerrell yes I have only one dhcp IP address on the WAN side, it comes up as the UK for every other situation.

@mas actually we tried connecting to the internet tethered to a phone and it came up with the UK IP address. Though I suspect the phone is using IPv6, I’ve not tried on another network.

I just happened to put the IP address into shodan https://www.shodan.io/host/154.113.23.78 and saw this:

My brothers work uses zscaler for their VPN so I’m guessing this is the source of the issue, it’s obviously running on bootup, with no user rights to kill the process to test out the theory. Thanks for the hints.

That makes sense now. So he probably has a full tunnel back to them or at least his web traffic goes through them.