Posted: Fri Jan 11, 2019 17:27 Post subject: Wow!! This was crazy interesting! Wifi ARP poisoning
Sorry, for the long post but I found it bizarre!! Please bear with me.
devsk wrote:
Another issue I face is that sometimes the Archer C9 (which I am using as a switch/AP) claims the address 192.168.0.1 for itself (its broadcasts an arp for that IP with its mac) when the real router becomes unreachable, breaking all internet facing traffic.
Why does it claim 192.168.0.1 when it knows that's the default gateway and its IP is something else?
I posted this in Archer C9 thread but thought its more generally relevant.
So, I thought the MAC was that of *MY* TPLink C9 but that MAC was some other device in the neighbourhood (likely one of my neighbours). It only matched in first 3 OEM bytes.
So, basically, there is a wireless leak going on here somehow.
192.168.0.1 is my cable modem. A neighbour's TPLink device arps with 192.168.0.1. When I go to 192.168.0.1, it presents me with original TPLink ROM's login UI (I am running dd-wrt on my TPLink C9 routers and my 192.168.0.1 is the cable modem, not TPLink). I enter username and password and it rejects the connection. (I have since then changed my own passwords because I basically ended up disclosing my password to some random TPLink device)
This also explains all the intermittent internet connectivity issues my wifi devices were observing:
devsk wrote:
So, some of the times my client machines make wifi connection successfully but no traffic runs through the connection. The IP is assigned without issue by the DHCP server. It can not talk to internet though.
I have 2 TP-Link Archer C9's installed at the edges of the house (not very large) with their own AP. I am sitting right next to one.
I am running pretty much the latest snapshot (Nov 27) image on both of them.
This happens only once in a while. 4 out of 5 times, wifi connects and everything works. The problem is that the client thinks its connected when its not. So, it keeps retrying application level connections....leads to severe battery drains on cell phones and laptops.
Anybody else experience this type of behaviour?
Some of those wireless packets to the internet were not landing at my default gateway (my modem 192.168.0.1) but at my neighbour's wifi router and were likely dropped on the floor by it.
I have moved my LAN to 10.x.x.x network since this discovery and all has gone back to sanity. No more clients that can't connect to internet, no more 192.168.0.1 prompting login prompt to some random TPLink ROM. I was blaming Ring and its chime being a poor product because it would work sometimes and then won't. But it hasn't disconnected for days since the fix.
So, the big question is: How is this possible? How can my dd-wrt wifi AP be talking to neighbour's router when it has a wired connection to my modem? How can it happen at the L2 level itself? How are arp broadcasts leaking across wifi?
Last edited by devsk on Tue Jan 15, 2019 16:36; edited 1 time in total
I am pretty sure there is no van outside my house trying to spy on me or trying to take over my LAN every day, and I have very good relationships with neighbours on both sides. So, this was most likely accidental ARP poisoning, but it can happen in real nefarious purposes. So, better guard against it!
Posted: Sat Jan 12, 2019 3:19 Post subject: Build and Settings
What build of DD-WRT using?
If you are not using the latest, upgrade. See the link in my signature.
Settings. That sounds like a firewall issue to me. That is just my gut though. It sounds like your ISP is allowing your connection to go through your modem and back in through the neighbour's modem, to their TP-Link router behind it.
If you are not using the latest, upgrade. See the link in my signature.
As I said usin the Nov 27 (2018) build, so its not terribly old.
Quote:
It sounds like your ISP is allowing your connection to go through your modem and back in through the neighbour's modem, to their TP-Link router behind it.
That would be a customer security disaster for Comcast, right? And if this happened, changing my LAN to 10.x.x.x addresses won't fix it.
I think it just so happens that most of these devices get initialized with 192.168.0.1 as the IP, and they broadcast ARP over the wireless radio over to other wifi APs (my C9 in my case), which now gets confused as to who 192.168.0.1 is.
Wait, was your internal LAN on 192.168.0.1 (on your DD-WRT router). It defaults to 192.168.1.1, with DHCP 192.168.1.100-199 _________________ Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.
QCA Best WiFi Settings
Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one.
Atheros:
Netgear R7800 x3 - WDS AP / station, gateway, QoS
TP-Link Archer C7 v2 x2 - WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - NU
D-Link 615 C1/E3/I1 x 7 - 1 WDS station
D-Link 825 B1 - NU
D-Link 862L A1 x2 - WDS Station
Netgear WNDR3700v2 - NU
UBNT loco M2 x2 - airOS
Broadcom
Linksys EA6400 - Gateway, QoS
Asus N66U - AP
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - switch
I am using the DHCP server on my gateway (the cable modem/router). That device had IP of 192.168.0.1 on the LAN and it was giving out leases from 192.168.0.2 to 250.
So, all my internet facing traffic went through 192.168.0.1.
The setup is WAN -> Cable modem (router mode) -> ( Wired TP Link AP1 | Wired TP Link AP2 )
Then the clients are connected to wired ports of AP1/AP2 and Wifi of AP1/AP2.
If I was you, I would put the modem in Bridge Mode. Move both of the TP-Link routers to 192.168.1.X (1 and 2 probably). Then make one of the routers a DHCP server. The Firewall is much better in DD-WRT then most modems. _________________ Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.
QCA Best WiFi Settings
Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one.
Atheros:
Netgear R7800 x3 - WDS AP / station, gateway, QoS
TP-Link Archer C7 v2 x2 - WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - NU
D-Link 615 C1/E3/I1 x 7 - 1 WDS station
D-Link 825 B1 - NU
D-Link 862L A1 x2 - WDS Station
Netgear WNDR3700v2 - NU
UBNT loco M2 x2 - airOS
Broadcom
Linksys EA6400 - Gateway, QoS
Asus N66U - AP
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - switch
Posted: Sat Jan 12, 2019 15:56 Post subject: Re: DHCP
ian5142 wrote:
If I was you, I would put the modem in Bridge Mode. Move both of the TP-Link routers to 192.168.1.X (1 and 2 probably). Then make one of the routers a DHCP server. The Firewall is much better in DD-WRT then most modems.
And the problem will still occur if my other neighbour is using TP Link with 192.168.1.1 as IP on his wifi AP...
But I get your point about the dd-wrt having a better featured firewall than the cable modem.
Posted: Sat Jan 12, 2019 18:55 Post subject: Firewall
I doubt you will see the problem if you are using the DD-WRT firewall. I have never seen any of my neighbours networks. _________________ Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.
QCA Best WiFi Settings
Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one.
Atheros:
Netgear R7800 x3 - WDS AP / station, gateway, QoS
TP-Link Archer C7 v2 x2 - WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - NU
D-Link 615 C1/E3/I1 x 7 - 1 WDS station
D-Link 825 B1 - NU
D-Link 862L A1 x2 - WDS Station
Netgear WNDR3700v2 - NU
UBNT loco M2 x2 - airOS
Broadcom
Linksys EA6400 - Gateway, QoS
Asus N66U - AP
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - switch