Menu
Reply
  • 80
  • 1
  • 26
RainmakerRaw
Up to speed
468 Views
Message 1 of 16
Flag for a moderator

What are these extra IPs doing on the SH3 (modem mode)?

My SH3 is in modem mode, and the setup goes like this:

SH3 > pfSense (APU2C4) > TP-Link gigabit 8 port PoE switch
........................................| ethernet clients
........................................| Ubiquiti UAP AC PRO

I currently have the subnets 192.168.100.1 (for the SH3 modem) and 192.168.1.0/24 for the LAN. It used to be 10.x.x.x but that started messing with DHCP from some of my VPN subscriptions so I changed it. Anyway...

I've noticed lately in the firewall logs (pfSense) that there are hits blocked on the WAN side, from 192.168.100.3:138 directed to 192.168.100.255:138. Does anyone know what's going on there? I assumed it was broadcast related (hence the .255) or NETBIOS/Samba at first (port 138). However if the modem is in transparent bridge mode isn't the only client IP 192.168.100.1? What then is 192.168.100.3 (and, by inference, 192.168.100.2) and what/why are they attempting to broadcast?

The firewall rule to block BOGON networks from WAN caught it, but I've no idea why those IPs are even there. Surely modem mode is (or should be) exactly that - a transparent bridge. Thanks in advance for any info, I'm always wanting to learn something new.

0 Kudos
Reply
  • 962
  • 58
  • 172
Tudor
Well-informed
429 Views
Message 2 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

I've seen 192.168.100.3 as the WAN address before DHCP from VM kicks in and assigns your real WAN address, so maybe this is why it's showing up in your logs.


There are 10 types of people: those who understand binary and those who don't
0 Kudos
Reply
  • 80
  • 1
  • 26
RainmakerRaw
Up to speed
422 Views
Message 3 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

Afraid not. That was 192.168.100.20 in this case. The 192.168.100.3 is hitting the firewall about 75 times an hour despite having an established WAN IP.
0 Kudos
Reply
  • 80
  • 1
  • 26
RainmakerRaw
Up to speed
364 Views
Message 4 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

Sorry for bumping an old topic, but Staff never did reply to this. Surely someone knows the answer? I'm still seeing this broadcast attempt hitting the network multiple times an hour. What are the extra IPs on the SH3 in modem mode, and what are they attempting to do to my network over port 138?

0 Kudos
Reply
  • 15
  • 1
  • 3
rssfed23
On our wavelength
345 Views
Message 5 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

I've come to this thread following a google for the exact same thing from my pfsense logs!

I'd also like to know what the SH3 is trying to broadcast out to the local WAN side of the connection.

I don't think it's causing us any harm having it blocked through (given we should block BOGON anyways it doesn't surprise me that the SH3 is doing something "non standard") and I suspect this is due to the SH3 not actually acting as a "true" transparent bridge. There were some excellent diagrams a while ago explaining the internal setup of the SH3 and how it handles modem mode but from what I can recall it's not a true modem in the traditional sense more like a semi-transparent bridge (but don't quote me on that - it was a long while ago that I last looked at all this).

I'd say leave it off unless someone with a proven record on the forums of being knowledgeable tells us otherwise Smiley Happy

  • 80
  • 1
  • 26
RainmakerRaw
Up to speed
333 Views
Message 6 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

Diagrams, you say?... I think I'll have to find these now! 

0 Kudos
Reply
  • 20.52K
  • 541
  • 3.16K
Sephiroth
Alessandro Volta
318 Views
Message 7 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

Might that have been?   http://community.virginmedia.com/t5/Tech-Chatter/SH1-vs-SH2-vs-SH2ac-in-modem-mode/td-p/2872682

I've also pasted below a block diagram for the Hub 3.  But that doesn't answer the question!

Wild guess: the 192.168.100.3 address might be down to the fact that on the Hub 3, any of the 4 LAN ports can be used for modem mode whereas that is not the case for the earlier hubs.

Hub 3 Block DiagramHub 3 Block Diagram

 

 

 

 

 

 

 

Seph - ( DEFROCKED - My advice is at your risk)

  • 80
  • 1
  • 26
RainmakerRaw
Up to speed
311 Views
Message 8 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

Thanks for the interesting reply and the diagrams. They satisfy the inner nerd itch haha. Smiley Happy 

Let's assume the SH3 isn't a full / straightforward transparent bridge, and that 192.168.100.3 IP is the SH3's internal assigned IP for the (pfSense in this case) device receiving the WAN IP in modem mode. That still doesn't answer how the broadcast is taking place. That would require the pfSense box to be attempting to broadcast upstream on the SH3 network (i.e. through WAN in its eyes), rather than via the LAN of its own network, and then blocking itself. That'd be a pretty serious bug and security flaw, and BSD isn't particularly known for those as a rule. Nullifying this hypothesis, I can and have replicated this on IPFire (a hardened Linux-based router/firewall distro) and OPNSense (BSD based); so it is highly unlikely to be a firewall issue as the reporting parties have different packet filters and network stacks - i.e. no shared code - but still produce the same finding.

The alternative requires the not-properly-transparently-bridged SH3 to be attempting to broadcast (and/or sniffing the local devices over NETBIOS) on the LAN even though it doesn't technically have one. Which takes us back to 'what and why are VM trying to broadcast/sniff out on customer LANs without having made public the 'service' and reason for it?'. Curiouser and curiouser.

I find it amusing - and somewhat disconcerting - that even after a year (plus long lost posts on Cable Forum) that no VM staff member has stepped forward to comment. I published an SSH/telnet flaw in one of the older VM units on CableForum once and didn't get a reply then, either. The bug was quietly patched a day or two later with another firmware update though haha. Whatever the reason, it makes me glad I have effectively double-NATed VM away from my network and have a proper BSD firewall standing between me and the wider network. Paranoid? Moi? Smiley Very Happy 

0 Kudos
Reply
  • 5.89K
  • 158
  • 413
Forum Team
Forum Team
281 Views
Message 9 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

Apologies for the delay in responding to your post RainmakerRaw, 

 

Great to see the Community stepping in and helping out. Smiley Happy

 

How has your connection been recently? 

 

Nat_J


Who's who? Find out more about our community members. Good folk to know


0 Kudos
Reply
  • 20.52K
  • 541
  • 3.16K
Sephiroth
Alessandro Volta
265 Views
Message 10 of 16
Flag for a moderator

Re: What are these extra IPs doing on the SH3 (modem mode)?

Oh dear, Nat!

Seph - ( DEFROCKED - My advice is at your risk)