Very Strange WAN Login Entry…WAN Routing 192.168.1.20??? HUH?

[SkierInAvon]

Asus Merlin configured LAN subnet: 10.0.5.xxx/24

Asus Merlin configured WAN: DHCP from ISP Publicly routable 50.231.190.60

Strange Asus/Merlin Log Entry: Jan 9 06:27:34 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:60:22:32:39:5d:7d:08:00 SRC=192.168.1.20 DST=255.255.255.255 LEN=220 TOS=0x00 PREC=0x00 TTL=64 ID=28506 DF PROTO=UDP SPT=41909 DPT=10001 LEN=200

HUH? 192.168.1.20 ???

I have no VLANS configured. My LAN is a Network 10 entry. We all know that 192.168.1.xxx is not publicly routable subnet…

So, how is this (WAN?) log entry even possible?

Hacker? Sending UPD packets to the Broadcast Address: 255.255.255.255

Meanwhile I use a Bash Script in the Asus Merlin jffs/scripts directory that loads at boot time and DROPS incoming packets from 192.168.1.20 and the log now shows those packets from 192.168.1.20 as being DROPPED.

Anyone know why/how a log entry of 192.168.1.20 is even possible?

Thanks!

 

[dosborne]

An old connection from a mapped drive?
Another device on your network?
As you say, it's a local address so it has to be something inside your network.
Is that the actual log entry? i.e. no MAC address listed? Looks like a generic ping.

Turn off your devices, then turn them on one at a time to see when it starts.

 

[bennor]

It may help provide context if you post up your router model and firmware version.
Are you running any addon scripts?
Have you enabled Guest Network?
Is AiMesh enabled/being used?

 

[SkierInAvon]

Thank you for helping. Below is a look see at the current ARP cache of my Asus Merlin...

admin@RT-AC3100-4338:/# arp -a
? (50.231.190.53) at d0:21:f9:65:9c:25 [ether] on eth0
? (50.231.190.52) at 9c:05:d6:5c:c3:f2 [ether] on eth0
? (10.0.253.3) at dc:a6:32:ec:f6:90 [ether] on br0
? (10.0.253.4) at e0:be:03:68:91:8b [ether] on br0
gi-0-0-0-1-3953-ssag02.comcast.net (50.231.190.48) at bc:2c:e6:04:78:14 [ether] on eth0
admin@RT-AC3100-4338:/#

Also included is a JPG screen shot of the actual log file from the Asus Merlin...my entry in my original post (above) is the same.
Further, the Bash Script I'm running drops packets from ONLY THE WAN interface...
Now the log file does show that the WAN packets from 192.168.1.20 are indeed being dropped now (I updated the script)

Still can't figure out how/why the WAN interface is reporting a connection request from 192.168.1.20
We both know the Internet does NOT route 192.168.1.xxx

Really strange...OBTW the Asus WiFi interface is turned off...no radio signals, either...

Thanks for helping.

 

[maxbraketorque]

Something on your local network with a manual IP address? I guess your local network is not 192.168.1.xxx?

 

[dave14305]

It’s not unheard of for bad guys scanning the internet to spoof the source address. Port 10001/udp can be used by Ubiquity for management purposes. Someone may be scanning for a vulnerable device.

The firewall should DROP such unsolicited connections by default, so I’m not sure what extra rule you’ve created.

I find it odd that you see 3 public IPs on the WAN interface arp output, but none of them look like a gateway IP. All I see on my Comcast connection is my default gateway IP on eth0. Might not be a problem, but looks different than my own setup.

 

[SkierInAvon]

It’s not unheard of for bad guys scanning the internet to spoof the source address. Port 10001/udp can be used by Ubiquity for management purposes. Someone may be scanning for a vulnerable device.

The firewall should DROP such unsolicited connections by default, so I’m not sure what extra rule you’ve created.

I find it odd that you see 3 public IPs on the WAN interface arp output, but none of them look like a gateway IP. All I see on my Comcast connection is my default gateway IP on eth0. Might not be a problem, but looks different than my own setup.

I changed my public ip's (posted here) that a I posted...just a bit...didn't want to give out specific/correct public IPs for (bad actor?) to probe...
Asus Merlin is locked down (pretty tight) on public WAN side (read: you can only reach Asus/Merlin from LAN side...)
Thanks!