Community home

tonygibbs16 · ‎11-11-2023

Hello,

I have another router with a firewall connected to a THG3000 Vodafone hub.

My additional firewall detected a UDP port scan attack from an IP address on the Internet.

The THG3000 hub says that the firewall is turned on.

How was this UDP port scan able to get in?

Kind regards Tony

Cynric · ‎11-11-2023

@tonygibbs16 For what it's worth (now we can see the picture)

MAC Addresses
Zyxel f0-87-56-cf-13-c3
Technicolor d4-35-1d-05-41-6e-08-00

CrimsonLiar · ‎11-11-2023

So, as the THG3000 does not have a bridge mode, and you are running an extra firewall on the zyxel do you have them set up so that you do not have double NAT?

tonygibbs16 · ‎11-11-2023

Hello @CrimsonLiar

I just have it set up as a router between 2 private subnets.

The THG3000 gives out 192.168.1.x/24

My Zyxel NBG7510 gets an IPv4 address from the THG3000, and routes datagrams from another 192.168.y.z/24 subnet via its own firewall.

Kind regards,

Tony

tonygibbs16 · ‎11-11-2023

Hello @CrimsonLiar

I just have it set up as a router between 2 private subnets.

The THG3000 gives out 192.168.1.x/24

My Zyxel NBG7510 gets an IPv4 address from the THG3000, and routes datagrams from another 192.168.y.z/24 subnet via its own firewall.

But this has no relevance I think as to why the THG3000 lets (too many) unsolicited datagrams through from the Internet.

I have also just detected a LAND attack also on the 192.168.1.x IP address given out by the THG3000.

Kind regards,

Tony

Cynric · ‎11-11-2023

The log entry shows the source port is 443 (https) and I am wondering if a browser has been configured to keep threads open when the browser is closed for a faster start-up. I've notice this kind of "trying to be helpful" in Edge, for example.

CrimsonLiar · ‎11-11-2023

@tonygibbs16 How do you think a LAND attack is going to traverse the internet and target your specific 192.168.1.x address? How would it ever be routed over the internet?
Also just consider what Double Network Address Translation is and how that would apply to devices on your nested-subnet.
All of our routers successfully fend off large numbers of probes everyday, but I genuinely believe that what you are concerned about are false positives caused by how you've set up your local network.

tonygibbs16 · ‎12-11-2023

Hello @CrimsonLiar

Perhaps a LAND attack gets across the Internet using an IPIP tunnel where a datagram has 2 IP headers on it...

I don't think that my extra router is doing NAT because I don't think that it is changing any layer 4 IP addresses. I would need to use Wireshark in order to prove it.

Kind regards Tony

CrimsonLiar · ‎12-11-2023

A home router is going to act as a router - including NAT - unless you find a way to tell it not to! If you check in the logs of the THG3000 and all you see of your subnet is the WAN-on-LAN address of the secondary router then it's performing NAT, just as is the primary router.
As for IPIP or IP-in-IP again that's not going to happen unless you have something that is creating that encapsulation most commonly (but not always) a VPN. A router manipulates the existing packet header before forwarding the packet on, it doesn't add another wrapper!

Cynric · ‎12-11-2023

I'm a bit mystified by the setup and what the impact is. I've read it more than once, I must be getting old.

Anyway, when I had two routers the WAN port of the inner one connected to the LAN port of the outer. So my THG3000 was connected to VF and was left on the 192.168.1.x address range, with a static address of 192.168.1.1 and DNS and DHCP off. The inner Netscape router had DNS and DHCP off too because they were provided by Pi-Hole. The Netscape router address was 192.168.0.1.

I don't have this setup now.

CrimsonLiar · ‎12-11-2023

As best as I can tell: The OP is in a double NAT set up, which is basically working fine. However, they are running a firewall on the nested router which is falsely reporting attacks that originate not from the internet but from the THG3000 itself, thanks to the double NAT.

Community home

Why did a UDP port scan get through THG3000 hub?