What's new

Routing past 2Wire DSL Gateway

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Oscar

New Around Here
Question about routing and security risks on our church computer network.

The network is shown on the attached jpeg file. It consists of-

A Windows 2003 server with two NIC cards running NAT. The private subnet for all the church computers is 192.168.0.x.

The Wan port on the server is connected to a 2Wire DSL modem/router which is connected to a ATT DSL line (the DSL line happens to be a static IP account). The WAN port of the server receives a static IP from the DSL connection.

While on the 192.168.0.x subnet if I do a security scan using the NMAP command

nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.1.1

I get what seem to be multiple hosts responding. These hosts seem to be on the other side of the 2Wire DSL Modem in the ATT private network.

My question is whether this is normal and if I should be taking additional precautions to make sure this routing path does not exist. A colleague at the church is convinced the server must be set up incorrectly since it should not pass on any requests to private IPs outside 192.168.111.x. In other words a traceroute to 192.168.1.1 should not be routed out the WAN NIC on the server and then on out past the 2Wire Modem/Router.

I can provide more information if needed. Sorry if my question is not clear.

Best regards,

Oscar
 

Attachments

  • Slide1.jpg
    Slide1.jpg
    30.7 KB · Views: 304
Last edited:
I'm not sure how 192.168.111.x fits in. Is the modem-facing server interface really on the 111 subnet but mapped to a static IP by the modem/router?

I'd run a traceroute on one of the 192.168.1.x IPs to get an idea of where they are.

Your routing is probably set up like:
Server uses modem-facing server interface as gateway of last resort;
modem uses ISP gateway;
ISP router provides connectivity to 192.168.1.x for whatever reason.

Since your server's route table is almost certainly "any network not 0.x LAN-->send through the modem-facing interface," 192.168.1.x connectivity is due to your ISP and not server misconfiguration.
 
Hi Jdabbs,

To answer your comments

The modem facing server interface gets an actual public IP from the modem/router. This is based on doing an Ipconfig /all on the actual server and seeing what IP is assigned to the modem facing interface. Apparently the 2Wire modem does something a little differently from a 1 to 1 NAT technique used in many other gateways when dealing with static Public IPs.

When running a traceroute on one of the 192.168.1.x IPs to get an idea of where they are... they are always on the Public side of the DSL modem/router.

Your routing description in regards to paths of last resort is what I also imagined is going on. The ISP router is probably the culprit as you describe. However, what I don't understand is whether this is good or bad or indifferent in regards to security of the internal network. Should I be trying to restrict these types of paths?

This entire exercise started when we started having a strange problem where one computer on the internal network was getting an IP from a server that did not exist on our internal network. This "non-existent" DHCP server was at 192.168.1.1 and was NAS box which had DHCP turned on. I used the NAS default ID and Password to log on and turn DHCP off and have not seen this NAS box or the IP problem again. I have also not been able to log on to the 192.168.1.1 NAS box again. After a lot of hunting around on our premises, I am convinced the 192.168.1.1 NAS box was on the public side of the DSL modem/router. I KNOW... THIS SOUNDS REALLY STRANGE AND IS VERY DIFFICULT TO BELIEVE. I am not sure how this could ever happen. Means the DHCP request got routed past all those NAT interfaces.

Best regards,

Oscar
 
Exposure to private networks:
I wouldn't worry about it, considering that the same potential for harm can occur with someone with a public IP. If you were running your own router you should take note that your ISP's routers are probably accepting routing advertisements regardless of source, and avoid sending yours out. I wouldn't take any more precautions than are necessary for an exposed server.

DHCP from 192.168.1.1:
I'd look into alternate explanations.
The system have a wireless client? (stumbled onto a nearby network)
Your modem have an integrated AP? (someone bridged the network to leech your connection)
Cabling misrouted? (server bypassed, modem<>switch link, etc) If you inherited a mess, you may not be able to account for every cable.

If you do have local connectivity to the NAS, you wouldn't be able to communicate with it unless your client is in the same subnet.
 
Sorry for this question

Hi Jdabbs,

I understand most of what you are saying.... especially the latter comments about DHCP from 192.168.1.1. I have already checked several of those issues out and have eliminated. The cable bypassed issue is interesting since I did inherit a mess where cables and routing are not labeled and it is unclear where some of them go...(not invested time to figure out yet). Will have to do that soon.

In regards to your comment about
"ISP's routers are probably accepting routing advertisements regardless of source, and avoid sending yours out".

I am sorry but I don't understand because of my poor knowledge in this area. Does not sending my routing advertisements out, involve turning RIP protocols off? Is it something else? I assume I would do this on the Windows Servers NAT setup.

If you can provide any direction or comments it would be appreciated. Your help thus far is greatly appreciated.

I will spend some time this morning doing some google research this morning.

Best regards,

Oscar
 
Hi Jdabbs,
In regards to your comment about
"ISP's routers are probably accepting routing advertisements regardless of source, and avoid sending yours out".

I am sorry but I don't understand because of my poor knowledge in this area. Does not sending my routing advertisements out, involve turning RIP protocols off? Is it something else? I assume I would do this on the Windows Servers NAT setup.

Sorry to add to the confusion, the sentence started with "If you were running your own router you should take note that your ISP's routers are probably accepting routing advertisements regardless of source..." If this was the case you'd just not send advertisements out that interface, or (as you suggested) disable routing if you didn't need it. This shouldn't be necessary with your server unless you are running a routing protocol (unlikely). It's an oversight on the ISP's part which can lead to customers interfering with each other; in such a case the least you could do is not add to the problem.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top