Asus Router RT-AC1200 syslog

[71techie]

My questions are about how my Asus Router Syslog log reads.

First example:
3 Mac Addresses, I used the 1's for the 2nd Mac Address and 2's as the third Mac Address

ODD....ON MY NETWORK AS IF IT WAS MY DEVICE
Apr 17 18:24:44 kernel: ACCEPT IN=vlan2 OUT= MAC=ff:ff:ff:ff:ff:ff:11:11:11:11:11:11:22:22:22:22:22:28 SRC=3x.x.xx.1 DST=255.255.255.255 LEN=352 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=332

I would like to know if this is a normal Asus Router RT-AC1200 syslog output? The Mac is the ff:ff:ff:ff:ff:ff=255.255.255.255, right? And the SRC=Public IP why is that broadcasting on my network? This is not a Public IP of mine. It apparently is some type of Microsoft Azure IP.

Second example:

ODD....ON MY NETWORK AS IF IT WAS MY DEVICE
LAST MAC :22:22:22:22:22:7b
Apr 17 17:55:52 kernel: ACCEPT IN=vlan2 OUT= MAC=ff:ff:ff:ff:ff:ff:11:11:11:11:11:11:22:22:22:22:22:7b SRC=xx.xx.xxx.1 DST=255.255.255.255 LEN=379 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=359

I would like to know why the SRC=xx.xx.xxx.1 is an ISP customer and are they broadcasting on my network? This not my Public IP Address?

Third example and question:
SRC= Some Public IP Address
DST= My Public IP Address
LAST MAC 22:22:22:22:22:28
Apr 17 17:55:04 kernel: DROP IN=vlan2 OUT= MAC=2c:XX:XX:XX:XX:XX:11:11:11:11:11:1122:22:22:22:22:28 SRC=XX:XX:XX:XX:XX DST=XX:XX:XX:XX:XX LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=65152 PROTO=TCP SPT=56874 DPT=43744 SEQ=2253114375 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

This is what I get a lot of in the syslogs. and the 3rd Mac Addresses is usually the same Mac Addr ending in :28, however there are different ones same Mac with the last hex, byte different.

Also, I have two MAC Addresses on my Asus Router. The LAN MAC is the same as the 2.4 GHZ wireless. And the 5.0GHZ wireless is for that only. In the syslogs, I always see the LAN/2.4GHZ MAC Address (2c:XX:XX:XX:XX:XX), and not the 5.0GHZ ever.

A little about my Asus router. I was told that I have a raspi on my Asus router firmware, and that it has two partitions. There is a connection to my network from someone else. They hide a port forwarding on my router and put vlans and a bro on it, along with a 2nd Public IP address.

Destination Gateway Genmask Flags Metric Ref Use Type Iface
xx.xxx.xx2.1 * 255.255.255.255 UH 0 0 0 WAN vlan2
192.168.50.0 * 255.255.255.0 U 0 0 0 LAN br0
xx.xxx.xx2.0 * 255.255.252.0 U 0 0 0 WAN vlan2
default xx.xxx.xx2.1 0.0.0.0 UG 0 0 0 WAN vlan2


Now my Public IP Address is different., xx.xxx.xx3.xxx

And there is a Port Forward to 192.168.1.1

But, there is not entries for this. As in where you would add the port forwarding at there is nothing there and NAT is all Disabled.

Thank you so very much,

71techie

Again, my Public IP Address is xx.xxx.xx3.xxx, and usually is more different then this. And my Public IP Address changed 5 times last week. My iPhone cell address mac address keeps changing with kicks me off the DHCP server on here.
Thank you,
71techie

 

[ColinTaylor]

It is difficult to follow what you're saying. Some of your sentences don't make much sense so for some things I'm going to have to guess what you're asking.

The first two output examples look like normal DHCP activity on your ISP's local network.

The third example looks like normal port scanning activity from the internet.

The routing table is correct and normal.

A little about my Asus router. I was told that I have a raspi on my Asus router firmware, and that it has two partitions. There is a connection to my network from someone else. They hide a port forwarding on my router and put vlans and a bro on it, along with a 2nd Public IP address.

Sorry, this doesn't make any sense. You'll have to explain exactly what you mean.

 

[71techie]

It is difficult to follow what you're saying. Some of your sentences don't make much sense so for some things I'm going to have to guess what you're asking.

The first two output examples look like normal DHCP activity on your ISP's local network.

The third example looks like normal port scanning activity from the internet.

The routing table is correct and normal.


Sorry, this doesn't make any sense. You'll have to explain exactly what you mean.

First Example:
My question here on the first example. Why are there three mac addresses in a role?

In the first example does the ff:ff:ff:ff:ff:ff have anything to do with 255.255.255.255? It would make sense to me if it did.

What is the SRC: 3x.x.xx.1 doing with a Broadcast address?

2nd Example: The SRC: address has the same ISP as mine. Why would this SRC: address be broadcasting on my network if that is what it is doing?

In my Asus syslog. There are 3 Mac Address. Two stay the same unless there is a broadcast. The third Mac Address usually has the same Mac Address. But, there is about 10 other MAC addresses all with the first 5 hex/bytes and the last one is different. What is happening here.
22:22:22:22:22 and about 10 different ones like this 22:22:22:22:22:b7. Ten different times the last number changes and everything else stays the same.

I would like to know you would think that my I should have 3 Public IP Addresses. The one I use, then xxx.xxx.xx2.1 and xxx.xxx.xx2.0, I could understand this if I had Virtual/Port Forwarding configured but I do not. And there is no entry in this area on my Asus router.

In Advance IP/Port Scanner, 192.168.1.1 is active on my network with Asus WanDuck Wan Monitor.

My Private IP is different 192.168.50.1 and the Gateway is 192.168.50.0 which is being accessed as a bridge. How would this get configure? How can I find more information about the 2 excessive Public IP Address on my network?

Next question, the Asus syslog. Has 3 mac addresses. All of the DST is my Public IP Address except for the Broadcast ones. In the first Mac Address of the three, is the LAN and 2.4 GHZ Wireless MAC Address. It is Shared, why? My 5.0 GHZ Mac Address does not show traffic in the Asus syslog, why is that?

Thank you
71techie

 

[ColinTaylor]

ff:ff:ff:ff:ff:ff is the layer 2 broadcast address. 255.255.255.255 is the layer 3 broadcast address. Both are used for DHCP discovery.

If you want any more information on the MAC addresses you will have to post the unedited output with only your pubic IP address redacted. It is impossible to understand what you're asking otherwise.

I would like to know you would think that my I should have 3 Public IP Addresses. The one I use, then xxx.xxx.xx2.1 and xxx.xxx.xx2.0, I could understand this if I had Virtual/Port Forwarding configured but I do not. And there is no entry in this area on my Asus router.

You don't have 3 public IP addresses. xx2.1 is your ISP gateway address and xx2.0 is your ISP network address.

Next question, the Asus syslog. Has 3 mac addresses. All of the DST is my Public IP Address except for the Broadcast ones. In the first Mac Address of the three, is the LAN and 2.4 GHZ Wireless MAC Address. It is Shared, why? My 5.0 GHZ Mac Address does not show traffic in the Asus syslog, why is that?

This is normal for Asus routers. It's strange, but normal.

 

[71techie]

It is difficult to follow what you're saying. Some of your sentences don't make much sense so for some things I'm going to have to guess what you're asking.

The first two output examples look like normal DHCP activity on your ISP's local network.

The third example looks like normal port scanning activity from the internet.

The routing table is correct and normal.


Sorry, this doesn't make any sense. You'll have to explain exactly what you mean.

I've attached a screenshot of what the Three Mac Addresses on my Asus Router Syslogs is happening. This is similar or the same of what should have uploaded in the first place. Also there is a Public IP Addresses that is not my Public IP Address is accessing a Broadcasting DST. 255.255.255.255 I do not have anything configured on my router to to be doing this. There are quite a few of these Public IP Addresses and I was wondering what is happening.

Thank you,

 

[ColinTaylor]

You've redacted or obscured so much of the information it's difficult to guess what you're talking about.

I've attached a screenshot of what the Three Mac Addresses on my Asus Router Syslogs is happening.

What 3 MAC addresses? You've obscured all the MAC addresses. Do you mean IP addresses? If so, that is normal port scanning from the internet.

Also there is a Public IP Addresses that is not my Public IP Address is accessing a Broadcasting DST. 255.255.255.255

That is broadcast traffic on your ISP's local network, probably from their DHCP server.

 

[drinkingbird]

Why are there three Mac Addresses in Asus Router Syslog in a role? Why is one Public IP addresses accessing a Broadcast Addresses?

Thank you,

Not really understanding your question - what role?

Is the public IP the default gateway of your ISP? If so, seeing broadcast to/from it is normal.

There really isn't a need to hide your MAC addresses. Not much anyone could do with them outside of your LAN.

Your Asus router has many MAC addresses, one for each physical port, one for each bridge interface, one for each VLAN interface, etc.

 

[drinkingbird]

I've attached a screenshot of what the Three Mac Addresses on my Asus Router Syslogs is happening. This is similar or the same of what should have uploaded in the first place. Also there is a Public IP Addresses that is not my Public IP Address is accessing a Broadcasting DST. 255.255.255.255 I do not have anything configured on my router to to be doing this. There are quite a few of these Public IP Addresses and I was wondering what is happening.

Thank you,

What is happening is that you've taken a packet capture, aren't understanding what you're seeing and are freaking out about it unnecessarily.

 

[ColinTaylor]

I've attached a screenshot of what the Three Mac Addresses on my Asus Router Syslogs is happening.

OK. I've finally worked out what you were trying to say. This would have been so much easier if you hadn't redacted so much information.

There are not three MAC addresses there are two.

The first MAC address 2c:4d:xx:xx:xx is your router's WAN interface.
The second MAC address 00:01:5c:xx:xx:xx is your cable modem.
08:00 is the EtherType for IPv4.
45:xx:xx:xx is beginning of the payload data. ***


*** These 4 bytes are an artefact of the way iptables' logging works for VLAN interfaces. They are not present for non-VLAN interfaces. For a VLAN interface like the OP has (vlan2) the header originally contained an additional 4 bytes for the 802.1Q tag in front of the EtherType. These 4 bytes were stripped out before the packet was logged by iptables, but the length of Ethernet frame header was not adjusted. Consequently the log incorrectly displays an additional 4 bytes (mostly 45:00:00:28) which are the beginning of the payload data.