Strange ICMP router advertisement messages

Dear FreeBSD users,

When running tcpdump -ni em0 on my PC connected behind my ISP home router I am seeing strange ICMP messages:
Code:
22:36:24.995924 IP 1.1.168.192 > 224.0.0.1: ICMP router advertisement lifetime 0 1: {192.168.1.1 0}, length 16
22:36:24.996187 IP 1.1.168.192 > 224.0.0.1: ICMP router advertisement lifetime 0 1: {192.168.1.1 0}, length 16
22:36:24.996423 IP 43.132.2.42 > 224.0.0.1: ICMP router advertisement lifetime 0 1: {42.2.132.43 0}, length 16
22:36:24.996737 IP 43.132.2.42 > 224.0.0.1: ICMP router advertisement lifetime 0 1: {42.2.132.43 0}, length 16
22:36:24.997798 IP 43.132.2.42 > 224.0.0.1: ICMP router advertisement lifetime 0 1: {42.2.132.43 0}, length 16
22:36:24.998060 IP 43.132.2.42 > 224.0.0.1: ICMP router advertisement lifetime 0 1: {42.2.132.43 0}, length 16
The IPv4 address of this router is 192.168.1.1 but I don't know the other IPv4 42.2.132.43.
The firewall of the ISP router is said activated when I am looking on his Web administration portal.

1. Why the IP displayed by tcpdump(1) is reversed ?
2. Does this mean that some external device on the Internet can reach my internal network ?
3. Does this mean that a device on my LAN or my ISP home router has been pwned ?
 
A couple of data points:
- The messages are router advertisement messages, per RFC 1256. I am not really familiar with the RFC, but I just read through it, and I do not see anything about the source address being reversed.
- In the router advertisement messages, the router is advertising what IP addresses (in brackets) it hosts. The messages are sent to the multicast address 224.0.0.1.
- It would *appear* that there is router with address 42.2.132.43 behind your firewall along with your PC. Could it be coming in through a Wi-Fi access point or something?
- According to Netcraft, 42.2.132.43 belongs to Hong Kong Telecommunications, AS4760.
- Is it possible you have a used device on your network that has a static address set to 42.2.132.43?

I will be very interested to hear the outcome of this.
 
After more investigation those ICMP messages are coming from my ISP home router which have an Ethernet MAC address starting by b4:e2:65.
This MAC belongs to Shenzhen SDMC Technology CO.,Ltd. - Shenzhen GUANGDONG- China.
I disabled WiFi and the only device connected to this router is my FreeBSD PC with an Ethernet NIC Intel 82574L chip.
 
For information I changed ISP some weeks ago and in France home routers are supplied by the ISP. The router has been updated at installation and rebooted by the ISP employee. I reorganized my home network and that's why I am only seeing this now. Before I had an isolated LAN behind my own FreeBSD router because some data could flow in clear text like with NFS. I no more need this and that's why my FreeBSD box is now directly connected to the ISP home router.
 
Is the ISP modem in bridge mode? And what kind of home connection is it? Fibre, coax, xDSL?
It's a Fibre modem with a kind of NAT for shared IPv4 on the ISP side because of lacking IPv4 address, but it's a bridge for full IPv6 /64.
I captured a pcap file and loaded it with Wireshark and it is saying it is ICMP type 9 'Mobile IP Advertisement (Normal router advertisement)'.
 
It's a Fibre modem with a kind of NAT for shared IPv4 on the ISP side because of lacking IPv4 address, but it's a bridge for full IPv6 /64.
You might be picking up some multicast from the ISP's equipment. Or one of your neighbors has a badly configured device on the network.
 
On a French technical forum there is another guy which saw this ICMP message with the same ISP and the same router. So I think it is coming from ISP's equipment. But what is the functionality ?
 
What is your gateway on your PC? Is it set to 42.2.132.43, or something else. (If you don't want to reveal the whole thing, just the first couple of octets would be useful.)
 
Can you give more information about the router model and it's firmware version?
FGW Fiber Gateway
Model: GR140CG
Hardware version: 3NTRGW21240S02
Software version: 3ENT010200R01B

What is your gateway on your PC? Is it set to 42.2.132.43, or something else. (If you don't want to reveal the whole thing, just the first couple of octets would be useful.)
/etc/rc.conf
Code:
defaultrouter="192.168.1.1"
ifconfig_em0="inet 192.168.1.18 netmask 255.255.255.0  -rxcsum -txcsum"
ifconfig_em0_ipv6="inet6 accept_rtadv"
ipv6_privacy="YES"

Code:
$ ifconfig em0
em0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4c524b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 68:05:ca:xx:xx:xx
    inet 192.168.1.18 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0 prefixlen 64 scopeid 0x1
    inet6 2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf pltime 750 vltime 750
    inet6 2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf temporary pltime 750 vltime 750
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

$ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         em0
127.0.0.1          link#2             UH          lo0
192.168.1.0/24     link#1             U           em0
192.168.1.18       link#2             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             link#2                        URS         lo0
default                           fe80::1%em0                   UG          em0
::1                               link#2                        UHS         lo0
::ffff:0.0.0.0/96                 link#2                        URS         lo0
2a02:xxxx:xxxx:xxxx::/64          link#1                        U           em0
2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx link#2                  UHS         lo0
2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx link#2                  UHS         lo0
fe80::%lo0/10                     link#2                        URS         lo0
fe80::%em0/64                     link#1                        U           em0
fe80::xxxx:xxxx:xxxx:xxxx%lo0     link#2                        UHS         lo0
fe80::%lo0/64                     link#2                        U           lo0
fe80::1%lo0                       link#2                        UHS         lo0
ff02::/16                         link#2                        URS         lo0
 
One more thought...

Is there an IP address that lets you talk directly to the modem? On Arris cable modems, it is 192.168.100.1, and it lets you see various configuration information, as well as the error log. It might be interesting to see if the modem (fiber gateway) knows about that address and is talking to it for any reason.

(I am accustomed to Arris cable modems that do not have built-in routers, so there is no API to configure them, just a read-only interface. From what I am seeing on the 'Net, the GR14CG may have an API for configuring the router that would make things easier for poking around.)
 
Is there an IP address that lets you talk directly to the modem?
I already inspected all the sections of the Web interface of this router (192.168.1.1) and set some parameters for my static DHCP leases, but I found anything regarding those ICMP messages.
 
A couple other possibilities...If your ISPs tech support is approachable, you might ask them. As a security-minded customer, you should have a right to know what strange IP addresses on your network are. You also might consider using nmap to do a portscan on that address, and see what ports are active. That might give you a clue what it is for. (And if ports like 80 or 8080 or 443 are open, you might go there with a browser and see what happens.
 
I think it will be very difficult to get any technical information from this ISP support. A lot of barriers between me and us.
Most technical information are supplied by dedicated forums.
 
I'm not surprised. I can get technical information from my ISP sometimes, but it is a real struggle to get through all the non-technical folks in customer support before I can actually talk to a technician.
 
Back
Top