Router accepting UDP connections on port 68

[dsk]

Hi everyone, I'm hoping someone here might be able to help me understand some messages I'm seeing in my routers logs.

I'm running Asus-wrt and have been having a few internet issues recently so I turned on the logging in System Administration.

Question 1:
I see a lot of messages about connections being dropped (I'm not sure if this is a normal thing or not, but there seems to be a dropped connection every couple of seconds), is this normal? Here are a couple of snippets from the log, it's from a mix of source IPs and there are a mix of UDP and TCP connections being dropped:

Mar 6 10:44:29 kernel: DROP IN=eth0 OUT= MAC=** SRC=45.93.201.131 DST=** LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=7481 PROTO=TCP SPT=40593 DPT=33914 SEQ=3675199252 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Mar 6 10:45:20 kernel: DROP IN=eth0 OUT= MAC=** SRC=195.54.161.151 DST=** LEN=40 TOS=0x00 PREC=0x20 TTL=244 ID=61218 PROTO=TCP SPT=41041 DPT=43422 SEQ=2451425515 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Mar 6 10:45:22 kernel: DROP IN=eth0 OUT= MAC=** SRC=94.232.46.25 DST=** LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=29784 PROTO=TCP SPT=48753 DPT=3402 SEQ=1567946565 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Mar 6 10:45:25 kernel: DROP IN=eth0 OUT= MAC=** SRC=89.248.165.166 DST=** LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=49833 PROTO=TCP SPT=46518 DPT=619 SEQ=3956362901 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Mar 6 10:47:35 kernel: DROP IN=eth0 OUT= MAC=** SRC=139.99.6.195 DST=** LEN=53 TOS=0x00 PREC=0x00 TTL=239 ID=15601 PROTO=UDP SPT=30120 DPT=27015 LEN=33
Mar 6 10:47:37 kernel: DROP IN=eth0 OUT= MAC=** SRC=139.99.6.195 DST=** LEN=53 TOS=0x00 PREC=0x00 TTL=239 ID=20008 PROTO=UDP SPT=30120 DPT=27015 LEN=33
Mar 6 10:47:37 kernel: DROP IN=eth0 OUT= MAC=** SRC=139.99.6.195 DST=** LEN=53 TOS=0x00 PREC=0x00 TTL=239 ID=7747 PROTO=UDP SPT=30120 DPT=27015 LEN=33

Question 2:
The messages I'm a little more worried about are these ones, I believe the source 10.xxxx address means it is within my network but none of my internal IPs start like that, so I don't really know what these are. Should I be creating some sort of rule on my router to drop connections coming to port 68?

Mar 6 10:27:01 kernel: ACCEPT IN=eth0 OUT= MAC=** SRC=10.53.35.97 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=59695 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 6 10:27:06 kernel: ACCEPT IN=eth0 OUT= MAC=** SRC=10.53.35.97 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=59707 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 6 10:27:08 kernel: ACCEPT IN=eth0 OUT= MAC=** SRC=10.53.35.97 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=59720 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 6 10:27:09 kernel: ACCEPT IN=eth0 OUT= MAC=** SRC=10.53.35.97 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=59726 PROTO=UDP SPT=67 DPT=68 LEN=308

If anyone can help or point me to places to find out more, it would be greatly appreciated.

Thanks

 

[dave14305]

I see a lot of messages about connections being dropped (I'm not sure if this is a normal thing or not, but there seems to be a dropped connection every couple of seconds), is this normal?

Yes, it’s very normal. That’s the internet knocking on your front door. Don’t let them in.

The messages I'm a little more worried about are these ones, I believe the source 10.xxxx address means it is within my network but none of my internal IPs start like that, so I don't really know what these are. Should I be creating some sort of rule on my router to drop connections coming to port 68?

These should be DHCP requests/renewals from your ISP, and are allowed through the firewall. See if you can validate the IP shown belongs in your ISP network.

 

[dsk]

Thanks @dave14305, good to know that it is normal and not me be picked on

I had did a few tracert and that 10.53.35.97 IP always seems to be the hop after my gateway so guessing it is the modem.
I feel a lot better knowing that it isn't external sources getting in to the network

 

[reerden]

10.53.35.97 is a local IP and port 68 is used for DHCP traffic. It's destination address indicates this is a broadcast.

It sounds like your ISP modem is in router mode and it's broadcasting DHCP requests. Check your WAN IP address and if it is a 10.x.x.x address. If it is, you may need to set the ISP modem to bridge mode. Having double NAT translation like this can result in connection issues.

 

[dsk]

Hi @reerden, my ISP router is in modem mode and the WAN displayed on my Asus router is my external / public IP. So I've been assuming that the modem is the one with the 10.x.x.x address. Not really sure how modem mode works, but the modem is is connected to my router's WAN port, so I guess it must need an IP for the router to talk to it? (This is all purely guess work from me)