Private IPs leaking onto WAN

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Wed Dec 14, 2022 2:04    Post subject: Private IPs leaking onto WAN Reply with quote
I have AT&T internet which (unless you work through an EAP proxy set up) requires using an Arris BGW210-700 gateway, which is properly configured for IP passthrough (with all user controllable firewall rules disabled) attached to my Ea8500 running the latest Dd-wrt firmware (r51011). For the longest time, the AT&T gateway has reported packets dropped with my private class C source IPs based on their filtering rules that cannot be disabled. These must be coming through the WAN interface of my Ea8500 in gateway mode because that is the only device connected to the AT&T gateway and WiFi is disabled on the AT&T box. Example:
Date/Time SourceIP DestinationIP Proto Reason
2022-12-13T18:28:36.065005 192.168. X. X 172.217.X. X TCP IP Source Address

I've been unable to figure out why the Ea8500 is forwarding such internal source IPs onto the WAN, but I recently found when checking the routing table the following:
Destination LAN NET Gateway Table Scope Metric IF Source
192.168. X. 0/24 default link 0 LAN & WLAN 192.168.X. 1

Why does the local private IP network say LAN & WAN intead of just LAN for IF? Is this my problem? If so, how do I correct it? If not, any other ideas on what to check or correct?
Sponsor
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Wed Dec 14, 2022 2:50    Post subject: Re: Private IPs leaking onto WAN Reply with quote
ccbrianf wrote:
I've been unable to figure out why the Ea8500 is forwarding such internal source IPs onto the WAN, but I recently found when checking the routing table the following:
Code:
Destination LAN NET   Gateway   Table   Scope   Metric    IF           Source
192.168. X. 0/24      default   link               0    LAN & WLAN   192.168.X. 1


Why does the local private IP network say LAN & WAN intead of just LAN for IF? Is this my problem? If so, how do I correct it? If not, any other ideas on what to check or correct?

Read that again. It says LAN & WLAN.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Wed Dec 14, 2022 12:47    Post subject: Reply with quote
Thank you. I guess I was misreading trying to be hopeful. Anyway, the curious original problem remains if anyone has any ideas.
dpp3530
DD-WRT Guru


Joined: 12 Dec 2007
Posts: 764
Location: Pittsburgh, PA USA

PostPosted: Wed Dec 14, 2022 15:10    Post subject: Reply with quote
I know when I had Adelphia cable (many years ago), the cable modem itself had a 192.168.2.1 address for the management interface. My router at the time, a wired SMC7004FW, also had 192.168.2.1 by default. It wasn't until I upgraded to a WRT54G and discovered DD-WRT that I found the modem had a management IP.

My point is that maybe you're not leaking IPs at all, it could be something on the AT&T side. Easiest way to figure that out is change your subnet. If the dropped packets keep the same address, it's not coming from you. If they change to the new subnet, then your configuration needs to be reviewed.

_________________
__________________________
Netgear R7800
DD-WRT v3.0 STD
Linksys WRT1900AC
DD-WRT v3.0 STD
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Wed Dec 14, 2022 16:24    Post subject: Reply with quote
The AT&T box management address is on a different 192.168 class C subnet and does not conflict. The IPs match those of internal device assignments. Thanks for the input!
CR_Apollo
DD-WRT User


Joined: 25 Dec 2020
Posts: 90
Location: Toronto - Canada

PostPosted: Wed Jan 04, 2023 16:54    Post subject: Reply with quote
ccbrianf wrote:
The AT&T box management address is on a different 192.168 class C subnet and does not conflict. The IPs match those of internal device assignments. Thanks for the input!



Your source is the gateway you have running on your router. The destination is the subnet, which /25 would be 255.255.255.0.

Are you sure your At&T device is not using the same subnet? When using the same subnet, unless you block it, the two networks can communicate together. Try what was suggested and change the subnet?
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Wed Jan 04, 2023 19:16    Post subject: Reply with quote
255.255.255.0 is CIDR /24, not /25.

I agree my source IP should be the router IP on the public network, and from other logged messages on the AT&T gateway, it generally is. My complaint is that is not always the case and private client IP source addresses are also coming through. If not a router error, it seems some exploit is either successfully leaking egress or spoofing that appearance on ingres. The destination IP address of those packets are internet bound, so an ingres explanation doesn't make much sense.

Yes, the AT&T gateway IP is 192.168.1.254, on a different class C as previously stated than my internal network on 192.168.2.X. There is some black magic going on on the AT&T side for single device IP pass through to work since it is not a true bridge mode, but none of that is visible to the Dd-wrt router that's leaking.

Also FWIW, I have setup the same thing at another location with an Asus AC66U instead of my Ea8500 with the same results.

I do see that my public IP is on a /23, but not in the 192.168 address space. I wonder if somewhere in the code the public and private netmasks are mixed up for routing as that would explain it. However, I wouldn't think that to be possible given I just verified both the DHCP supplied end client netmask and all the router if config -a IPs and masks as correct.

When I'm not misreading something being hopeful as this thread started, I do generally know what I'm talking about as a system architect software engineer that often deals with networking.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Jan 05, 2023 7:35    Post subject: Reply with quote
DDWRT is just Linux as far as routing and firewalling is concerned.

Which you have checked with the appropriate tools.

The only strange routing things I have seen is when you are using multiple (virtual) interfaces on the same connection and have Short Cut Forwarding turned on.
SFE bypasses the firewall/connection tracking, it should switch off e.g. when you add a VAP (virtual wireless interface) but there might be other setups possible which can confuse SFE.

If have seen it when a user had a WireGuard tunnel running and was port forwarding through the WG tunnel and through the WAN to the same server.

Bottom line test with SFE on and off

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
CR_Apollo
DD-WRT User


Joined: 25 Dec 2020
Posts: 90
Location: Toronto - Canada

PostPosted: Thu Jan 05, 2023 12:30    Post subject: Reply with quote
ccbrianf wrote:
255.255.255.0 is CIDR /24, not /25.

I agree my source IP should be the router IP on the public network, and from other logged messages on the AT&T gateway, it generally is. My complaint is that is not always the case and private client IP source addresses are also coming through. If not a router error, it seems some exploit is either successfully leaking egress or spoofing that appearance on ingres. The destination IP address of those packets are internet bound, so an ingres explanation doesn't make much sense.

Yes, the AT&T gateway IP is 192.168.1.254, on a different class C as previously stated than my internal network on 192.168.2.X. There is some black magic going on on the AT&T side for single device IP pass through to work since it is not a true bridge mode, but none of that is visible to the Dd-wrt router that's leaking.

Also FWIW, I have setup the same thing at another location with an Asus AC66U instead of my Ea8500 with the same results.

I do see that my public IP is on a /23, but not in the 192.168 address space. I wonder if somewhere in the code the public and private netmasks are mixed up for routing as that would explain it. However, I wouldn't think that to be possible given I just verified both the DHCP supplied end client netmask and all the router if config -a IPs and masks as correct.

When I'm not misreading something being hopeful as this thread started, I do generally know what I'm talking about as a system architect software engineer that often deals with networking.



If I am readin this right, that both the AT&T and DD-WRT router are on the 168 C, sounds like a double NAT. Why not set the AT&T to straight through? This may be "partly" why the IPs are seen going through the router/DD-WRT WAN port, too.


Double NAT occurs when you connect your router to an ISP gateway or another router. Because NAT is performed by each router or gateway, your "internal/private 192.168.x.x C network is split into two different private networks. The devices connected to one private network might have communication problems with the devices connected to the other private network, and you might experience problems with:

Online games
VPN connections
Port forwarding and triggering
Secure websites that use SSL
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Thu Jan 05, 2023 14:39    Post subject: Reply with quote
On the private side, you are correct they are both on different class Cs. The single device IP pass through with firewall and filtering disabled for the AT&T router is the best that can be done without a complex and dubiously legal EAP proxy setup to spoof the AT&T router authentication. It is not double NAT in the traditional sense, and is similar to many cable modem setups that can be used in full bridge mode but where the modem is still privately accessible by a class C IP not the same as the user's private network. AFAIK, nothing is setup wrongly or inefficiently here based on extensive research.

SFE is automatically disabled.

I do have a Wireguard tunnel, but it is rarely to almost never active. There are no port forwards or special firewall/IP tables rules for the tunnel or the router in general.
CR_Apollo
DD-WRT User


Joined: 25 Dec 2020
Posts: 90
Location: Toronto - Canada

PostPosted: Thu Jan 05, 2023 18:28    Post subject: Reply with quote
ccbrianf wrote:
On the private side, you are correct they are both on different class Cs. The single device IP pass through with firewall and filtering disabled for the AT&T router is the best that can be done without a complex and dubiously legal EAP proxy setup to spoof the AT&T router authentication. It is not double NAT in the traditional sense, and is similar to many cable modem setups that can be used in full bridge mode but where the modem is still privately accessible by a class C IP not the same as the user's private network. AFAIK, nothing is setup wrongly or inefficiently here based on extensive research.

SFE is automatically disabled.

I do have a Wireguard tunnel, but it is rarely to almost never active. There are no port forwards or special firewall/IP tables rules for the tunnel or the router in general.


Do you use UPnP? If so, that can be the issue, too. Can you DMZ from the AT&T device? I am almost 100% sure that your issues are related to dropped connections because of port forwarding requirements.

1. DMZ to router. I believe it is called IP Pass through on AT&T.

or

2. Use Double Router Port Forwarding, and disable UPnP. This requires a lot of maintenance if you need to always change client/computer.

There is another option, from AT&T, to buy a static IP, but that comes with monthly cost.
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Fri Jan 06, 2023 1:17    Post subject: Reply with quote
UPnP is disabled for obvious security reasons.

IP passthrough is the DMZ mode. Please read the initial post that says that is correctly configured with only the Dd-wrt router plugged in and both WiFi radios disabled on the AT&T BGW210-700. : https://forums.att.com/conversations/att-internet-equipment/bridgemode-vs-ip-passthrough-info-from-the-att-community/5defbfffbad5f2f606ad5ed2

Please explain how a dropped connection for a Dd-wrt router with no port forwarding enabled other than normal NAT in Gateway mode sends a packet with source address 192.168.2.X/24 out to an internet destination IP on the WAN router interface with public IP 104.9.186.X/23.
CR_Apollo
DD-WRT User


Joined: 25 Dec 2020
Posts: 90
Location: Toronto - Canada

PostPosted: Fri Jan 06, 2023 1:44    Post subject: Reply with quote
ccbrianf wrote:
UPnP is disabled for obvious security reasons.

IP passthrough is the DMZ mode. Please read the initial post that says that is correctly configured with only the Dd-wrt router plugged in and both WiFi radios disabled on the AT&T BGW210-700. : https://forums.att.com/conversations/att-internet-equipment/bridgemode-vs-ip-passthrough-info-from-the-att-community/5defbfffbad5f2f606ad5ed2

Please explain how a dropped connection for a Dd-wrt router with no port forwarding enabled other than normal NAT in Gateway mode sends a packet with source address 192.168.2.X/24 out to an internet destination IP on the WAN router interface with public IP 104.9.186.X/23.


Think of it this way, how could you connect to your AT&T portal if the traffic could not go out via the WAN? The WAN is how you are double nat. Of course the two private networks see each other, one cannot get out to the internet without the other.

There is something happening within your double NAT, something you are missing. If you really think it is the DD-WRT, install a sniffer and watch your packets. But something has to be triggering the forward.


Last edited by CR_Apollo on Fri Jan 06, 2023 1:53; edited 1 time in total
ccbrianf
DD-WRT User


Joined: 10 Jun 2015
Posts: 58

PostPosted: Fri Jan 06, 2023 1:52    Post subject: Reply with quote
No packet should leave the Dd-wrt router's WAN interface with any source address other than the WAN IP, even if it is destined for the AT&T router's private IP of 192.168.1.254/24.
CR_Apollo
DD-WRT User


Joined: 25 Dec 2020
Posts: 90
Location: Toronto - Canada

PostPosted: Fri Jan 06, 2023 2:09    Post subject: Reply with quote
CR_Apollo wrote:
ccbrianf wrote:
UPnP is disabled for obvious security reasons.

IP passthrough is the DMZ mode. Please read the initial post that says that is correctly configured with only the Dd-wrt router plugged in and both WiFi radios disabled on the AT&T BGW210-700. : https://forums.att.com/conversations/att-internet-equipment/bridgemode-vs-ip-passthrough-info-from-the-att-community/5defbfffbad5f2f606ad5ed2

Please explain how a dropped connection for a Dd-wrt router with no port forwarding enabled other than normal NAT in Gateway mode sends a packet with source address 192.168.2.X/24 out to an internet destination IP on the WAN router interface with public IP 104.9.186.X/23.


Think of it this way, how could you connect to your AT&T portal if the traffic could not go out via the WAN? The WAN is how you are double nat. Of course the two private networks see each other, one cannot get out to the internet without the other.

There is something happening within your double NAT, something you are missing. If you really think it is the DD-WRT, install a sniffer and watch your packets. But something has to be triggering the forward.


Just made me think of something. Are you reading the firewall logs? I have had people try to get into my network spoofing, that may be it preventing that?
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum