What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Can someone comb through my router logs?

Rankdropper84

Regular Contributor
Long story short i noticed there was the ip address of .136 that was forwarding a port i had never heard of and right when i figured that out i went to the wan tab and disabled upnp. I usually disable upnp and just forward the ports i need but for some reason i decided to leave it on this time. Right after i turned off upnp the network started for lack of a better word half loading things until i was getting no response at all from webpages. All i have from it is a picture of the port and ip address that was being used and the syslog i saved. Just curious if anyone has any insight into what happened. I think i might know what happened but would like a second opinion. Thanks.
 

Attachments

  • syslog.txt
    syslog.txt
    181.6 KB · Views: 454
  • Crash and Burn.png
    Crash and Burn.png
    284.4 KB · Views: 586
The IP address .136 is a local address, that means it's a device or computer on you local network.
Please check in System Log > DHCP Leases to find out which machine has this address.
 
The IP address .136 is a local address, that means it's a device or computer on you local network.
Please check in System Log > DHCP Leases to find out which machine has this address.
I understand that. The thing is no device has that ip address on my network. Kind of weird but i knew that right when i seen it since this router seems to always assign the same ip address to the same clients. I can no longer check since as soon as i disabled upnp i lost networking. Tried two router reboots and still nothing. Also unplugged my modem long enough for it to get a new IP address. Almost get the feeling like I might have been MITM attacked and was hoping someone could weigh in on there thoughts
 
I understand that. The thing is no device has that ip address on my network. Kind of weird but i knew that right when i seen it since this router seems to always assign the same ip address to the same clients. I can no longer check since as soon as i disabled upnp i lost networking. Tried two router reboots and still nothing. Also unplugged my modem long enough for it to get a new IP address. Almost get the feeling like I might have been MITM attacked and was hoping someone could weigh in on there thoughts

Something is accessing your LAN if it's able to allocate itself an IP through UPNP. Could be an unsecured wifi, a virtual machine running on one of your computers, or a device that obtains two different leases (I've heard of some weird gadgets that will do that).

One thing that will help track it down is to determine the MAC address of that client. Connect over SSH, then run the following command to get the list of DHCP leases with their corresponding MACs:

Code:
cat /var/lib/misc/dnsmasq.leases

The following command might also help if the client isn't using a DHCP lease:

Code:
cat /proc/net/arp

Once you have the MAC, do an OUI lookup online to determine the manufacturer of that MAC's network interface.
 
Last edited:
Something is accessing your LAN if it's able to allocate itself an IP through UPNP. Could be an unsecured wifi, a virtual machine running on one of your computers, or a device that obtains two different leases (I've heard of some weird gadgets that will do that).

One thing that will help track it down is to determine the MAC address of that client. Connect over SSH, then run the following command to get the list of DHCP leases with their corresponding MACs:

Code:
cat /var/lib/misc/dnsmasq.leases

The following command might also help if the client isn't using a DHCP lease:

Code:
cat /proc/net/arp

Once you have the MAC, do an OUI lookup online to determine the manufacturer of that MAC's network interface.

My fault for not replying till now. I ended up resetting the router the night it happened (my girl was complaining about no internet). Really wish i had more time then to wireshark my network and use that OUI lookup, which by the way is awesome! I bookmarked that OUI lookup site and saved those SSH commands in a text file. Thanks again.
 
I dont even see an entry for the .136 IP in there.

This prompted me to check my netstat and iptables rules, and I noticed I have a similar port mapped 55915

I checked the startup entries on this laptop and it could be the AmazonMusic helper (just deleted that, dont need it), iCloud, Dropbox, Evernote.

Not sure if any of those use upnp.

That is really odd that when you turned it off you lost all the networking though.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Back
Top