Unidentified Network Subnet

abhay9 · January 4, 2020, 3:41pm

Hi,

With your guidance I am experimenting with pfsense and ntopng. Today I saw a strange ip address 172.30.10.xx which was not part of my network.

abhay@pop-os:~$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.77 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::9b56:83b:a6d4:830 prefixlen 64 scopeid 0x20
ether 00:50:56:b2:ca:67 txqueuelen 1000 (Ethernet)
RX packets 37837 bytes 7257793 (7.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21081 bytes 1583997 (1.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Further when I ping there is a reply, so I run nmap to see what else is there and I got this

abhay@pop-os:~$ nmap -sn 172.30.10.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-04 21:09 IST
Nmap scan report for 172.30.10.8
Host is up (0.0036s latency).
Nmap scan report for 172.30.10.11
Host is up (0.0038s latency).
Nmap scan report for 172.30.10.13
Host is up (0.067s latency).
Nmap scan report for 172.30.10.15
Host is up (0.0032s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.21 seconds

and when I run traceroute I got this

Capture2

On traceroute of 172.30.10.13 it shows my ISP gateway. When I disconnect my WAN I cannot ping those ipaddress. I dont know whats happening and how to I stop this, Please help.

Regards,
Abhay
note: I could only upload 1 image so had to cut and paste earlier one.

LTS_Tom · January 5, 2020, 12:08pm

If it is on the other side of the WAN then it’s not a big deal, probably some private addressing use by your ISP.

abhay9 · January 5, 2020, 6:27pm

Hi Tom,

Thanks for reply, I guess thats ISP private address. I was even able to get web login page of may be switch (Huawei). Is it normal for ISP to keep that open, shall I point this to them.

And I love watching your videos, they are very helpful to learn new things.

Regards,
Abhay

LTS_Tom · January 5, 2020, 7:01pm

While it might be “Normal” it’s not a good idea on their part to leave their infrastructure exposed, but that is outside of your control.

Panfilo · January 6, 2020, 11:14pm

I like to put these rules at the end of my LAN rules.

This one sends to the internet (via a gateway group) all the traffic from my users to non private (public) addresses. In this case only the ports I want muy users to use

(Private addresses from RFC1918)
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

These two prevent leaking private addresses to the internet. Which is the case why that address is responding you.

Normally they don’t log, but, i forgot to disable logging.
NOTE: In order to communicate with other subnetworks inside your local network, you have to provide a PASS rule to allow traffic to those other networks.

I hate when ISP mix private address with public addresses.

abhay9 · January 7, 2020, 7:30pm

Thank you for your further insight on this, I just started playing with pfsense not yet migrated to it. Right now I am on DD-WRT and will incorporate your inputs on my future pfsense.

But yes it is sad to see ISP mix up like this and makes me wonder there ability to secure there network, this is precisely all home users should get some thing like pfsense to secure them self. Thanks to Tom and people at pfsense and also friends like you who make people like me with less knowledge also to some thing about securing our digital world.

Regards,
Abhay