Am I supposed to get ARPs off my DSL connection?

zobo88zobo88 Member Posts: 60 ■■□□□□□□□□
My dsl modem has a globally route-able IP assigned at WAN side and at the LAN side its DHCP server is handing outs 192.168.2.x IPs

I used wireshark to capture traffic going through my PC and DSL modem and it turns that I am getting arps for all sorts of 192.168.x.x IPs like 192.168.0.2, 192.168.1.1 ?

Why are these ARPs getting routed to me ? I think something is terribly wrong ?icon_rolleyes.gif there are errors in Wireshark about duplicate use of IPs

and even if something is broken at ISP side, than why is my dsl router modem forwarding ARPs ? being a router it should drop any arps coming from its WAN interface ?

P.S
I just tried to open my router management page 192.168.2.1, I have a TP-LINK and some Belkin page opened instead icon_rolleyes.gif

Comments

  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Which device is making the arp requests, your gateway interface 192.168.2.1?

    You have to understand that those IP addresses that have ARP requests in your scenario are private addresses, not routable on the public domain. Your router when it receives packets from the WAN will of course first of all check it's NAT table (if one exists) then maybe perform a translation, and then, on most routers, check it's local ARP cache, and failing that send out an ARP request on the attched ethernet networks that best match the IP layer. Also, ARP is mostly used to just translate IP addresses to ethernet MAC addresses (as you know). It would be very funny to hear of ISP's who lay out reels of cat cable to and from exchanges etc (assuming there is an exchange every 90 metres) :p

    You sure you have no other servicable networks from your router setup? Post your router config (omitting any saucy details) and your wireshark capture (omitting any saucy details). Also, I am assuming you are capturing packets from your PC's network interface?

    Cheers,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • zobo88zobo88 Member Posts: 60 ■■□□□□□□□□
    Pash wrote: »
    Which device is making the arp requests, your gateway interface 192.168.2.1?

    You have to understand that those IP addresses that have ARP requests in your scenario are private addresses, not routable on the public domain. Your router when it receives packets from the WAN will of course first of all check it's NAT table (if one exists) then maybe perform a translation, and then, on most routers, check it's local ARP cache, and failing that send out an ARP request on the attched ethernet networks that best match the IP layer. Also, ARP is mostly used to just translate IP addresses to ethernet MAC addresses (as you know). It would be very funny to hear of ISP's who lay out reels of cat cable to and from exchanges etc (assuming there is an exchange every 90 metres) :p

    You sure you have no other servicable networks from your router setup? Post your router config (omitting any saucy details) and your wireshark capture (omitting any saucy details). Also, I am assuming you are capturing packets from your PC's network interface?

    Cheers,

    The ARP requests are coming from a number of devices, which are NOT part of my LAN
    I only had my Desktop connected to my ADSL router
    and yes, I am snooping on my PC's interface

    I sincerely believe that something is broken at ISP side (as I was able to open someones else's router when I tried to access the management address of my own router)
    however what amazes me is that why is my router forwarding packets/arps for 192.168.x.x to towards the LAN, since they are not globally routable so it should be discarding it at the WAN interface


    here is the trace Download arp2.jpg.pcap, upload your files and earn money.

    the mac of my tp-link is 4f-e0 and my lan card is 72-3A however in trace you see arps also coming from Tp-link ec-f3 than there is some from aztech and Quantco which are not part of my LAN
  • zobo88zobo88 Member Posts: 60 ■■□□□□□□□□
    OK great. actually I was using the range of 192.168.1.x for LAN and had changed it to 192.168.2.x yesterday as I was constantly facing the duplicate IP detected issue and unable to browse
    I again changed it back and now I am effectively using someones else connection to browse, when I open up 192..168.1.1 than the management page of a router/modem other than tp-link opens up :) and the WAN address assigned to that modem is the one which is now appearing as my public address
    free ride is good, but I am sure someone else is also taking off a free ride off my modem :P

    arp trace of the current situation http://www.easy-share.com/1909605088/arp3.pcap very interesting , remember my gatewat IP is now 192.168.1.1
  • SrSysAdminSrSysAdmin Member Posts: 259
    Networking isn't my strong point, but how would it even be possible for ARP requests for 192.168.x.x to come from anywhere but inside your own network? These are private IP addresses and therefore not able to come from outside the network.

    I think perhaps you have just enough knowledge to be dangerous but not enough to know fully what is going on.
    Current Certifications:

    * B.S. in Business Management
    * Sec+ 2008
    * MCSA

    Currently Studying for:
    * 70-293 Maintaining a Server 2003 Network

    Future Plans:

    * 70-294 Planning a Server 2003 AD
    * 70-297 Designing a Server 2003 AD
    * 70-647 Server 2008
    * 70-649 MCSE to MCITP:EA
  • 120nm4n120nm4n Member Posts: 116
    Sounds like AT&T DSL. The 192.168.1.x network is from the DSL modem to your router. You have a NAT router built in to the modem. The reason you get conflicts is because if both networks (on either side of your firewall) are 192.168.1.x.
    WIP: MCITP: EA
    70-620 - Done
    70-647 - In Progress
    70-649 - Soon.
  • TheShadowTheShadow Member Posts: 1,057 ■■■■■■□□□□
    is this cat 5 or wireless? If wireless I would guess you have options set to grab any access point and someone close by is not locked down. When my daughter comes over she always grabs my neighbor if not careful because he has 11n and her laptop likes it better.
    Who knows what evil lurks in the heart of technology?... The Shadow DO
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    120nm4n wrote: »
    Sounds like AT&T DSL. The 192.168.1.x network is from the DSL modem to your router. You have a NAT router built in to the modem. The reason you get conflicts is because if both networks (on either side of your firewall) are 192.168.1.x.

    This looks like the most logical suggestion yet, sorry I know very little about AT&T (being a US ISP).
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    ARPs naturally enough are not routable. Your ADSL would have to be bridging for them to pass through, or as has been suggested you are connecting wirelessly to someone else's AP.
    Run an NMAP of your network, get a better picture of what you're connected to. Verify you are only using your LAN connection. Then talk to your ISP.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • 120nm4n120nm4n Member Posts: 116
    Pash wrote: »
    This looks like the most logical suggestion yet, sorry I know very little about AT&T (being a US ISP).

    The only reason I know this is because I saw the exact same thing when I set up my brother's DSL modem/router and his personal router.
    WIP: MCITP: EA
    70-620 - Done
    70-647 - In Progress
    70-649 - Soon.
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    Completely unrelated, but dude, log into your modem and turn off NAT. You can bridge the WAN IP to your inside interface and have a public IP address to hand off to your router. This will prevent you from having to run double nat (assuming you're natting the IP address from the LAN interface of your modem). What is the brand/make/model of your modem? It's stupid easy from command line for Zyxels and Speedstreams.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
Sign In or Register to comment.