strange traffic out the WAN port of Mesh system

[Michael3421]

System is Asus mesh ZenWiFi AX XT8 AX6600
Firmware is version 3.0.0.4.388_23285

The Asus is not directly connected to the Internet. While setting up and testing, its WAN port is connected to a LAN port of my existing router. This lets me monitor was the Asus mesh system is doing.

The Asus system is showing strange traffic leaving its WAN port. The local network of the Asus system is the default 192.168.50.x. There are packets leaving the WAN port with a destination in the 192.168.50.x subnet

When the existing router logged this, there was no client connected to the Asus mesh system, so the traffic is coming from Asus. My research showed that the target IP, 192.168.50.76 is that of the Satellite device. There are no Guest networks configured.

The packets were sent with TCP to port 7788. Here is a log entry for one such transmission

SRC=192.168.1.101 DST=192.168.50.76 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=57195 DF
PROTO=TCP SPT=53303 DPT=7788 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x2

Seems like a bug.

 

[ColinTaylor]

Port 7788 is the cfg_server which is what AiMesh nodes use to discover or talk to each other.

I'm slightly confused about your network topology because your log entry says that this is traffic coming into the WAN interface (assuming the WAN address is 192.168.1.x), not out of it. A device at 192.168.1.101 is trying to talk to 192.168.50.76.

 

[Michael3421]

If this is used to discover other Mesh nodes, then sending the traffic out the WAN port seems like a bug. Not a brutal one, admittedly. Its interesting that the Asus mobile app needs Bluetooth to find the Asus hardware, a totally different approach.

Sorry about any confusion in the log entry. The device at 192.168.1.101 is the WAN port of the Asus mesh base station. It is being viewed from the "outside" router which is configured to log any private IPs trying to leave its WAN port.

 

[ColinTaylor]

Sorry about any confusion in the log entry. The device at 192.168.1.101 is the WAN port of the Asus mesh base station. It is being viewed from the "outside" router which is configured to log any private IPs trying to leave its WAN port.

Sorry, I still don't get it.

You have your "main" LAN as 192.168.1.x with an unspecified router connected to the internet.

Your Asus mesh base station (in router mode) has it's WAN interface connected to your main LAN with an IP address of 192.168.1.101. The Asus' LAN is 192.168.50.x.

I can't think how your Asus router could be sending unicast traffic for one of its LAN devices (192.168.50.76) out of its WAN port. That's not possible if the Asus is configured as a router (a router doesn't route local traffic).

The only thing I can think of is if the Asus was configured as an access point instead of a router, or the Asus was connected to your main LAN by its LAN port instead of the WAN port. But even then the traffic would be coming from a 192.168.50.x address rather than 192.168.1.101.

It's all very strange.

Is it sending this traffic all the time? Or does it only happen when the Asus router is booting up and trying to detect other nodes?

 

[Michael3421]

Yes, the router directly connected to the Internet has a LAN using the 192.168.1.x subnet.
Yes, the Asus mesh system is in Router mode.

This directly connected router supports firewall rules and one of the rules that I configured is to block and log private IP addresses trying to leave the WAN port. The only legit use of this that I am aware of is if you want to talk to your modem.

Since Asus does not offer this type of logging functionality, it may often send private IP traffic out to the WAN. Asus owners would not know. I have seen iPads do this quite often.

As for timing, every now and then a clump of 3 or 4 packets leave the WAN port targeted to the private IP of the Satellite (port 7788 which is Asus).