Private IPs leaking onto WAN

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2
Author Message
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Fri Jan 06, 2023 2:17    Post subject: Reply with quote
Yes, this is the AT&T device log, which is likely it's (disabled) firewall log. I commented above it might be an ingress exploit, but I don't understand how or what kind if it has source addresses of active devices on my private lan and public internet destination addresses. How did it even get to the AT&T router without it having its address as the destination?

I would have Wireshark proven it already if I owned a switch with port mirroring capability. I'm pretty sure I know what I'll find though.
Sponsor
CR_Apollo
DD-WRT User


Joined: 25 Dec 2020
Posts: 90
Location: Toronto - Canada

PostPosted: Fri Jan 06, 2023 2:36    Post subject: Reply with quote
ccbrianf wrote:
Yes, this is the AT&T device log, which is likely it's (disabled) firewall log. I commented above it might be an ingress exploit, but I don't understand how or what kind if it has source addresses of active devices on my private lan and public internet destination addresses. How did it even get to the AT&T router without it having its address as the destination?

I would have Wireshark proven it already if I owned a switch with port mirroring capability. I'm pretty sure I know what I'll find though.


It's easy to get the details once you connect to their site. As for the private IPs, I have seen it happen where they are real active ones, too. They actually detect it during the spoof somehow. But the firewall is doing it's job if it is dropping it.
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Thu Jan 12, 2023 1:23    Post subject: Leaking confirmed! Reply with quote
I found what I expected.

I bought a TL-SG105E managed switch, set it up for port mirroring, and made a Wireshark capture. The source MAC is my ea8500 DD-WRT router and the destination MAC is my AT&T BGW210-700 gateway, with private LAN IPs as the source address and internet IPs as the destination:

25611 104.088044 192.168.2.X 8.251.201.252 TCP 66 40796 → 443 [RST, ACK] Seq=1 Ack=1 Win=20 Len=0 TSval=1069250564 TSecr=745656679
25612 104.088044 192.168.2.X 104.126.117.138 TCP 66 44578 → 443 [RST, ACK] Seq=1 Ack=1 Win=17 Len=0 TSval=2197337165 TSecr=2317801869
25613 104.088044 192.168.2.X 104.126.117.138 TCP 66 44580 → 443 [RST, ACK] Seq=1 Ack=1 Win=17 Len=0 TSval=2197337166 TSecr=2317801922
40117 199.510008 192.168.2.X 23.33.22.74 TCP 66 41954 → 443 [RST, ACK] Seq=1 Ack=1 Win=17 Len=0 TSval=480162679 TSecr=3877232406

Frame 25611: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{86DBEEC9-9FFD-4FF5-B0AE-688A3B2FAEF3}, id 0
Ethernet II, Src: BelkinIn_XX:XX:XX (c0:56:27:xx:xx:xx), Dst: ARRISGro_YY:YY:YY (8c:5a:25:yy:yy:yy)
Destination: ARRISGro_YY:YY:YY (8c:5a:25:yy:yy:yy)
Source: BelkinIn_0e:05:33 (c0:56:27:xx:xx:xx)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.2.X, Dst: 8.251.201.252
Transmission Control Protocol, Src Port: 40796, Dst Port: 443, Seq: 1, Ack: 1, Len: 0

My assertion is correct: DD-WRT is leaking private IP source addresses onto the WAN!
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu Jan 12, 2023 8:24    Post subject: Reply with quote
This is the normal behaviour when NAT is turned off.
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Thu Jan 12, 2023 13:13    Post subject: Reply with quote
Yes, but the SPI Firewall is enabled.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu Jan 12, 2023 13:23    Post subject: Reply with quote
Where is 192.168.2.X?

NAT can be enabled/disabled on each Interface.
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Thu Jan 12, 2023 13:34    Post subject: Reply with quote
192.168.2.X is the LAN on eth1. The Wireshark was done on the WAN coming out of eth0 with SPI firewall enabled for the gateway mode router. So far I've only found TCP ACK RST packets with sequence 1 with destination port 443 not having their source IP changed

I do not see a way in the GUI short of specific commands to change NAT on any specific interface other than oet1 or a VAP.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu Jan 12, 2023 14:35    Post subject: Reply with quote
Masquerade / NAT is set on the Networking Tab.

If the Interface is bridged, it's set on the bridge.

You can enter this into the Firewall Script to enable NAT from all interfacing going out the WAN:

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Thu Jan 12, 2023 14:52    Post subject: Reply with quote
Thank you for the reply, but again, I see no mention of NAT or masquerade on the networking page outside oet1 for Wireguard which is not in use and not in this IP range (nothing on eth0, eth1, or br0).

If you believe this is set wrong, why do all other packets have the public Dd-wrt ea8500 router IP for the source address except these? I guess with respect to NAT/SPI there is no reason to change the source IP of a RST packet since it is killing the connection and won't return anything, but that violates what I presume masquerade should mean and what the AT&T gateway is expecting for single device IP passthrough mode so it seems right to complain.

I can try the command if you think it will matter, but to me it should be redundant or equivalent to the default in use.
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Fri Jan 13, 2023 15:10    Post subject: Reply with quote
Per Yngve Berg wrote:
You can enter this into the Firewall Script to enable NAT from all interfacing going out the WAN:

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

I tested both of the following commands individually in Save Firewall followed by a reboot with no change as expected:
Test 1. iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE
Test 2. iptables -t nat -A POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE
which is I assume what you were recommending.
CR_Apollo
DD-WRT User


Joined: 25 Dec 2020
Posts: 90
Location: Toronto - Canada

PostPosted: Thu Jan 19, 2023 3:28    Post subject: Reply with quote
Curious what your routing table looks like on the DD-WRT??
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Thu Jan 19, 2023 14:57    Post subject: Reply with quote
Code:
~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         104-9-XX-XX.lig 0.0.0.0         UG    0      0        0 eth0
10.XX.0.0       *               255.255.255.0   U     0      0        0 oet1
10.XX.0.X       *               255.255.255.255 UH    0      0        0 oet1
10.XX.0.X       *               255.255.255.255 UH    0      0        0 oet1
10.XX.0.XX      *               255.255.255.255 UH    0      0        0 oet1
104.9.XX.0      *               255.255.254.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.LAN.0   *               255.255.255.0   U     0      0        0 br0
192.168.WG.0    *               255.255.255.0   U     0      0        0 oet1
CR_Apollo
DD-WRT User


Joined: 25 Dec 2020
Posts: 90
Location: Toronto - Canada

PostPosted: Sun Jan 22, 2023 4:18    Post subject: Reply with quote
I still think it's something to do with port triggering causing that, but it's hard to say without it in front of me. Wish I could offer more suggestions, but maybe someone from DD-WRT support can help more now that they can see the table as well?

That, or how DD-WRT functions in gateway mode with another private IP on the WAN port.
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum