Duplicate IP Address -> Spoof/Verizon???

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Duplicate IP Address -> Spoof/Verizon???

Jay Hart-2
I'm now running my new router. Internal network is 192.168 based. I have two interfaces on my
router, one external, one internal.  Motherboard is a MITAC PDP11BICC using Realtek NICs.

I'm seeing a lot of messages in the log file regarding duplicate IP Addresses, specifically I'm
seeing:

/bsd: duplicate IP address 192.168.1.1 sent from ethernet 20:c0:47:dc:27:dd

This translates to a Verizon MAC. My FIOS ONT is definitely Verizon.  What I struggling with is
what exactly is causing this message, and how to stop/resolve it.

When I run 'Arp -a' either internally from another box, or on the router itself, I'm not seeing
this MAC.

Hoping the list can provide some additional troubleshooting ideas.  Can this be some sort of spoof
attempt???

Thanks,

Jay

Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Raul Miller
What do you have in your arp -a result for that 192.168.1.1 IP?

Does it look like a Verizon device?

If not, it’s probably the “problem”.

(I believe Verizon FIOS wants to live on that IP and wants to use DHCP to
issue addresses to the things it’s talking to.)


Raul

On Friday, September 7, 2018, Jay Hart <[hidden email]> wrote:

> I'm now running my new router. Internal network is 192.168 based. I have
> two interfaces on my
> router, one external, one internal.  Motherboard is a MITAC PDP11BICC
> using Realtek NICs.
>
> I'm seeing a lot of messages in the log file regarding duplicate IP
> Addresses, specifically I'm
> seeing:
>
> /bsd: duplicate IP address 192.168.1.1 sent from ethernet 20:c0:47:dc:27:dd
>
> This translates to a Verizon MAC. My FIOS ONT is definitely Verizon.  What
> I struggling with is
> what exactly is causing this message, and how to stop/resolve it.
>
> When I run 'Arp -a' either internally from another box, or on the router
> itself, I'm not seeing
> this MAC.
>
> Hoping the list can provide some additional troubleshooting ideas.  Can
> this be some sort of spoof
> attempt???
>
> Thanks,
>
> Jay
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Jay Hart-2
The re1 (internal INT) MAC is 00:22:4d:d1:48:d5, which identifies itself as a MITAC International
Corp MAC and matches up with the motherboard vendor.

Using 'Arp -a", I have yet to locate the 20:c0:47...  MAC on any of my machines, Its non-existent
as far as I am concerned, and yet I literally have hundreds of the "duplicate IP address" messages
in /var/log/messages.

Arp -a' (on the router) does show a Verizon MAC, but its a different MAC than shown below...

Jay

> What do you have in your arp -a result for that 192.168.1.1 IP?
>
> Does it look like a Verizon device?
>
> If not, it’s probably the “problem”.
>
> (I believe Verizon FIOS wants to live on that IP and wants to use DHCP to
> issue addresses to the things it’s talking to.)
>
> —
> Raul
>
> On Friday, September 7, 2018, Jay Hart <[hidden email]> wrote:
>
>> I'm now running my new router. Internal network is 192.168 based. I have
>> two interfaces on my
>> router, one external, one internal.  Motherboard is a MITAC PDP11BICC
>> using Realtek NICs.
>>
>> I'm seeing a lot of messages in the log file regarding duplicate IP
>> Addresses, specifically I'm
>> seeing:
>>
>> /bsd: duplicate IP address 192.168.1.1 sent from ethernet 20:c0:47:dc:27:dd
>>
>> This translates to a Verizon MAC. My FIOS ONT is definitely Verizon.  What
>> I struggling with is
>> what exactly is causing this message, and how to stop/resolve it.
>>
>> When I run 'Arp -a' either internally from another box, or on the router
>> itself, I'm not seeing
>> this MAC.
>>
>> Hoping the list can provide some additional troubleshooting ideas.  Can
>> this be some sort of spoof
>> attempt???
>>
>> Thanks,
>>
>> Jay
>>
>>
>


Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Stuart Henderson
In reply to this post by Jay Hart-2
On 2018-09-07, Jay Hart <[hidden email]> wrote:

> I'm now running my new router. Internal network is 192.168 based. I have two interfaces on my
> router, one external, one internal.  Motherboard is a MITAC PDP11BICC using Realtek NICs.
>
> I'm seeing a lot of messages in the log file regarding duplicate IP Addresses, specifically I'm
> seeing:
>
> /bsd: duplicate IP address 192.168.1.1 sent from ethernet 20:c0:47:dc:27:dd
>
> This translates to a Verizon MAC. My FIOS ONT is definitely Verizon.  What I struggling with is
> what exactly is causing this message, and how to stop/resolve it.
>
> When I run 'Arp -a' either internally from another box, or on the router itself, I'm not seeing
> this MAC.
>
> Hoping the list can provide some additional troubleshooting ideas.  Can this be some sort of spoof
> attempt???
>
> Thanks,
>
> Jay
>
>

Run "tcpdump -ne -i $interface ether host 20:c0:47:dc:27:dd" on the internal and
external interfaces, you should at least see which interface this is being sent
on, and might get some other clues az to what it is.

If you have a managed switch, you may be able to see which port it's coming from.

"ifconfig -A" from your routerwould give us a clearer picture of the configuration.

Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Jay Hart-2
In reply to this post by Jay Hart-2

> On 2018-09-07, Jay Hart <[hidden email]> wrote:
>> I'm now running my new router. Internal network is 192.168 based. I have two interfaces on my
router, one external, one internal.  Motherboard is a MITAC PDP11BICC using Realtek NICs. I'm
seeing a lot of messages in the log file regarding duplicate IP Addresses, specifically I'm
seeing:
>> /bsd: duplicate IP address 192.168.1.1 sent from ethernet 20:c0:47:dc:27:dd This translates to
a Verizon MAC. My FIOS ONT is definitely Verizon.  What I struggling with is what exactly is
causing this message, and how to stop/resolve it. When I run 'Arp -a' either internally from
another box, or on the router itself, I'm not seeing this MAC.
>> Hoping the list can provide some additional troubleshooting ideas.  Can this be some sort of spoof
>> attempt???
>> Thanks,
>> Jay
> Run "tcpdump -ne -i $interface ether host 20:c0:47:dc:27:dd" on the internal and external
interfaces, you should at least see which interface this is being sent on, and might get some
other clues az to what it is.
> If you have a managed switch, you may be able to see which port it's coming from. "ifconfig -A"
from your router would give us a clearer picture of the configuration.

I have five items below...

#1:
For the first time I managed to capture this MAC address, I got it from an internal machine. From
the captured behavior it seems that my gateway is getting cycled back and forth between two NICs.
The commands were issued like two minutes apart...

[xx]$ arp -a
_gateway (192.168.1.1) at 20:c0:47:dc:27:dd [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0
[xx]$ arp -a
_gateway (192.168.1.1) at 00:22:4d:d1:48:d5 [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0
[xx]$ arp -a
_gateway (192.168.1.1) at 20:c0:47:dc:27:dd [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0

enp2s0 is the only interface on this machine and its gateway is 192.168.1.1, connected through a
switch.  The "correct" MAC for 192.168.1.1 (internal NIC on the router) SHOULD be
00:22:4d:d1:48:d5

#2:
-----ifconfig -A from the router------------------
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 4 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1476
        lladdr 00:22:4d:d1:48:d4
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 71.163.34.30 netmask 0xffffff00 broadcast 71.163.34.255
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:22:4d:d1:48:d5
        index 2 priority 0 llprio 3
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        index 3 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
        index 5 priority 0 llprio 3
        groups: pflog

#3:
I'm attaching my pf.conf file. Maybe I messed something up, or you guys spot an issue.  I'm also
having issues with FTP-proxy, but that issue is for another thread.

[xx]$ more pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

int_if = "re1"
ext_if = "re0"
www_ad =  "192.168.1.41"
proxy = "127.0.0.1"
icmp_types = "{ echoreq, unreach }"
table <martians> {127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}

set block-policy drop
set loginterface egress
set skip on lo0

#Protection
antispoof quick for { lo $int_if }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>

#filter rules and anchor for ftp-proxy
anchor "ftp-proxy/*"

#rule needed to redirect ftp connection for ftp-proxy
pass log in quick proto tcp to port ftp rdr-to $proxy port 8021

#match rules
match out on egress inet from !(egress) to any nat-to (egress:0)

block in log
pass out quick

#next rule passes http-https traffic to the web/email server
pass in on egress inet proto tcp from any to (egress) port {80 443} rdr-to $www_ad synproxy state

#traceroute rule (for IPv4)
pass out on egress inet proto udp to port 33433 >< 33626 keep state

#next rule redirects smtp traffic to the email server
pass in on egress inet proto tcp from any to (egress) port 25 rdr-to $www_ad

#pass in certain types of ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types

#pass traffic on internal network
pass in on $int_if

# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010
---end pf.conf-----------------

#4:
tcpdump: I saw two packets from the re1 (internal INT) interface running the command you suggested
above.  How can I capture that to a file I can copy/paste into an email?

#5:
/etc/mygate file
I had this as 192.168.1.1, but since I use 'dhcp' to get an address from Verizon, I commented out
the line. Could this be a potential source of the problem?  Should I reboot the box to see?

Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Pierre Emeriaud
Le sam. 8 sept. 2018 à 13:40, Jay Hart <[hidden email]> a écrit :
> -----ifconfig -A from the router------------------
> re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         lladdr 00:22:4d:d1:48:d5
>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255


Some CPEs have 192.168.1.1 hardcoded as management ip address, even
though they are currently used as modem/bridges. Renumber your
internal subnet to some other private address space and see if the
logs go away.

One way to verify this theory is to configure another ip in that
subnet on re0, renumber re1 to 192.168.2.0/24 for example, and try
pinging 192.168.1.1.

Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Jay Hart-2
> Le sam. 8 sept. 2018 à 13:40, Jay Hart <[hidden email]> a écrit :
>> -----ifconfig -A from the router------------------
>> re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>         lladdr 00:22:4d:d1:48:d5
>>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>
>
> Some CPEs have 192.168.1.1 hardcoded as management ip address, even
> though they are currently used as modem/bridges. Renumber your
> internal subnet to some other private address space and see if the
> logs go away.
>
> One way to verify this theory is to configure another ip in that
> subnet on re0, renumber re1 to 192.168.2.0/24 for example, and try
> pinging 192.168.1.1.
>
>
If I shifted to the 10.10.10.x network, would I set all my machines to use /24 subnet?

IOW, hostname.re1 would be
inet 10.10.10.x 255.255.255.0 NONE

I don't get why I would set up a second IP on re0, explain your thought process here...

I called Verizon and they stated that the ONTs MAC is not the MAC causing problems, and actually
told me it must be coming from my house.  I found my wifes PC had lost its network connection, I
have to use TL-PA4010 power adapters to get the last 10 feet of connections. I'm wondering if this
was causing the issue.  None of the MAC addresses for these devices are 20:c0:47:... though.  I
think this was just nit noise...

Jay

Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Sebastian Benoit
Jay Hart([hidden email]) on 2018.09.08 12:06:03 -0400:

> > Le sam. 8 sept. 2018 ???? 13:40, Jay Hart <[hidden email]> a ????crit :
> >> -----ifconfig -A from the router------------------
> >> re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> >>         lladdr 00:22:4d:d1:48:d5
> >>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
> >
> >
> > Some CPEs have 192.168.1.1 hardcoded as management ip address, even
> > though they are currently used as modem/bridges. Renumber your
> > internal subnet to some other private address space and see if the
> > logs go away.
> >
> > One way to verify this theory is to configure another ip in that
> > subnet on re0, renumber re1 to 192.168.2.0/24 for example, and try
> > pinging 192.168.1.1.
> >
> >
> If I shifted to the 10.10.10.x network, would I set all my machines to use /24 subnet?

yes. classfull routing was deprecated in 1993.

Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Pierre Emeriaud
In reply to this post by Jay Hart-2
Le sam. 8 sept. 2018 à 18:06, Jay Hart <[hidden email]> a écrit :

>
> > Le sam. 8 sept. 2018 à 13:40, Jay Hart <[hidden email]> a écrit :
> >> -----ifconfig -A from the router------------------
> >> re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> >>         lladdr 00:22:4d:d1:48:d5
> >>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
> >
> >
> > Some CPEs have 192.168.1.1 hardcoded as management ip address, even
> > though they are currently used as modem/bridges. Renumber your
> > internal subnet to some other private address space and see if the
> > logs go away.
> >

> I don't get why I would set up a second IP on re0, explain your thought process here...

This is to confirm or deny that the modem do have 192.168.1.1 as
management address. That could be an explanation for the duplicate ip
address message you're seeing.

You could just temporarily delete 192.168.1.1 from re1 to perform the
test, and only if it's successful (ie 192.168.1.1 on re0 answers to
pings) modify the IP configuration of re1 and renumber your lan.

This is one of the reasons why I tend to avoid using 192.168.0.0/24
and 192.168.1.0/24 as home lan addressing ranges.

Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Jay Hart-2
> Le sam. 8 sept. 2018 à 18:06, Jay Hart <[hidden email]> a écrit :
>>
>> > Le sam. 8 sept. 2018 à 13:40, Jay Hart <[hidden email]> a écrit :
>> >> -----ifconfig -A from the router------------------
>> >> re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>> >>         lladdr 00:22:4d:d1:48:d5
>> >>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>> >
>> >
>> > Some CPEs have 192.168.1.1 hardcoded as management ip address, even
>> > though they are currently used as modem/bridges. Renumber your
>> > internal subnet to some other private address space and see if the
>> > logs go away.
>> >
>
>> I don't get why I would set up a second IP on re0, explain your thought process here...
>
> This is to confirm or deny that the modem do have 192.168.1.1 as
> management address. That could be an explanation for the duplicate ip
> address message you're seeing.
>
> You could just temporarily delete 192.168.1.1 from re1 to perform the
> test, and only if it's successful (ie 192.168.1.1 on re0 answers to
> pings) modify the IP configuration of re1 and renumber your lan.
>
> This is one of the reasons why I tend to avoid using 192.168.0.0/24
> and 192.168.1.0/24 as home lan addressing ranges.
>
>

Moved everything over to a 10.a.b.x subnet. Its all tested and working.  Now I can back to seeing
about that duplicate IP address BS, but suspect that particular issue solved itself.



Reply | Threaded
Open this post in threaded view
|

Re: Duplicate IP Address -> Spoof/Verizon???

Mikkel C. Simonsen
In reply to this post by Pierre Emeriaud
Den 08-09-2018 kl. 14:47 skrev Pierre Emeriaud:

> Le sam. 8 sept. 2018 à 13:40, Jay Hart <[hidden email]> a écrit :
>> -----ifconfig -A from the router------------------
>> re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>          lladdr 00:22:4d:d1:48:d5
>>          inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>
>
> Some CPEs have 192.168.1.1 hardcoded as management ip address, even
> though they are currently used as modem/bridges. Renumber your
> internal subnet to some other private address space and see if the
> logs go away.
I have seen a cheap managed switch from Zyxel that decided to live on
192.168.1.1 after a power cut...

192.168.1.1 is the default address on a lot of stuff.