Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35
  1. #21
    Master Untangler
    Join Date
    Mar 2017
    Location
    France, Paris
    Posts
    135

    Default

    so this is weird......

    i have a virtual machine (a w10 insider). When it's on, it takes the ip 192.168.1.7
    But this machine is now OFF (for more than 12hours)

    i still have in the session viewer this
    ipen7.png


    Also, why only external to external ?
    and not there in the arp table....!!!

    i don't know what this ip is and where it's coming from ! Strange Strange Strange !!!

  2. #22
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    If the client interface is external, then that has to be a spoofed packet bouncing off your external interface and going elsewhere. The only way that's possible is if you've got a port forward that allows it. That, or your box has been compromised because you opened SSH to the world.

    Did you enable SSH to the world? Because if you did, it's time to pave that thing and reinstall.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #23
    Master Untangler
    Join Date
    Mar 2017
    Location
    France, Paris
    Posts
    135

    Default

    the only port forward I have is for openvpn. and it's opened in my ISP routeur (not in untangle).

    I don't have ssh enabled in untangle also....nor elsewhere

    , then that has to be a spoofed packet bouncing off your external interface and going elsewhere
    what does that mean ? (remember, i'm not English !)
    Last edited by doudoufr; 01-31-2018 at 08:16 AM.

  4. #24
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    If someone has control of your router, it's possible for them to configure it to act in any means they wish.

    This particular session appears to be sourced from the outside of your network, reflecting off your external interface, and being sent off to a web server at 13.107.4.50, which belongs to Microsoft and is probably involved with Windows update.

    Again this is simply not possible unless someone or something has configured your Untangle to redirect the traffic.

    Did you enable HTTPs administration on your WAN?
    Did you enable SSH on your WAN?

    These aren't on by default, and these are the means someone gains control of your router. The only way to fix this issue is to reinstall, you have to assume your Untangle has been compromised.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #25
    Master Untangler
    Join Date
    Mar 2017
    Location
    France, Paris
    Posts
    135

    Default

    accessrule.png

    i do not enabled anything....it's the default settings.

    The only port forward I have is on my ISP router and it's for openvpn.

    openvpnport.png
    Last edited by doudoufr; 01-31-2018 at 08:33 AM.

  6. #26
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Then your Untangle isn't a router, it's a bridge. And all you're seeing here is something using .1.7 from somewhere outside the Untangle bridge. This device would be between the router and the Untangle.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #27
    Master Untangler
    Join Date
    Mar 2017
    Location
    France, Paris
    Posts
    135

    Default

    so it should appears in my router in the DHCP table....But...no....


    dhcporange.png
    Last edited by doudoufr; 01-31-2018 at 08:52 AM.

  8. #28
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Quote Originally Posted by doudoufr View Post
    i have a virtual machine (a w10 insider). When it's on, it takes the ip 192.168.1.7
    Okay, this is one place where the communication is breaking down, and it doesn't necessarily have anything to do with English.

    Unless I'm misunderstanding, earlier you insisted that there was no device on your network with the address 192.168.1.7. Now you tell us there is a virtual machine at that address (except it's currently shut down). Where did that VM get its address? Clearly not through the router's DHCP.

    So we're piecing together your network from your descriptions but it's not all adding up. That's a hindrance.

  9. #29
    Master Untangler
    Join Date
    Mar 2017
    Location
    France, Paris
    Posts
    135

    Default

    the first time i saw this IP in 192.168.1.7, the virtual machine didn't even exist.

    And yes, the VM takes its IP from the DHCP (as all my virtualmachine, or I misconfigured Something....???)

    But anyway, this VM is OFF and even if it was ON, it should go through internal to external (like the rest of the network)
    Moreover, it should be on the ARP table....

    maybe, it just a bug from the session viewer. It doesn't refresh well or Something. And it keeps my virtual machine settings...(i don't know why...)
    Last edited by doudoufr; 01-31-2018 at 12:27 PM.

  10. #30
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Quote Originally Posted by doudoufr View Post
    the first time i saw this IP in 192.168.1.7, the virtual machine didn't even exist.
    Did I miss where you told us about this important change, that you added a VM at this particular address?

    I’m having trouble keeping what the problem is straight. I feel like we went from an address that doesn’t exist and shows up in the session viewer to the very same address existing and not disappearing from the session viewer, with pictures of the DHCP table that never show the address that didn’t exist but now does, except it’s shut down. It’s probably just my old age, but I find all this confusing. I’ll let the younger minds solve whatever session problem is common to both scenarios.

Page 3 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2