Block all subnets except 192.168.1.xxx subnet

Hello
I have discovered a vulnerability in my ISP. There is another router that it seems connected to my local network that is not on the 192.168.1.1/24 subnet. This is not my router nor it is in the home network at all.

It seems my ISP is actually forwarding the private network for some reasons I have no idea about. I want to block all the subnets expect my main subnet. If I remember correctly. How can I do this?

Your request is very vague.

Where does the other router seem connected?
How did you realize it?
You want to block what from where to where?

1 Like

The other router seems to be connected to my local network @192.168.222.1. This router is not mine. I don't own it.

I realized it when a friend told me about it as he was making a full back trace scan on all the local IPs within 192.168.x.x. I was able to access its Login Page.

I want to block all the IPs ranging from 192.168.2.0 to 192.168.255.255 from accessing my 192.168.1.xxx network

And how is OpenWrt connected to all that?

1 Like
  • I wouldn't describe this as simply "connected" - if so, then I'd advise that you simply disconnect it

For clarity, I think @trendy means the physical location of connection to the rogue device at 192.168.222.1 - basically, the question is - how would a malicious actor send traffic from 192.168.222.1? -

  • Through a SET top box?
  • Coax adapters?
  • A fiber ONT in router mode?
  • An access point you don't control?
  • A friend sharing your WiFi?

Also:

  • How did you determine that device is a router?
  • How did you determine that it's "connected to your LAN at 192.168.222.1"?
  • If your network is 192.168.1.0/24, what are you seeing - i.e. what device dumped this traffic into your network?
  • Does this method to "see" have a way for you to display the MAC address of the device?

If you scanned those address, you may be reaching some equipment within the ISP's network - and unrelated to you perceived issue.

WTF...if a rogue device is on your LAN that's a physical security issue. Most importantly, you cannot use a router to block traffic on your Local Network, as it doesn't pass the router. We really need more details on how you see an IP from a different subnet - scanning on your LAN. I would advise blocking on that device.

:+1:

1 Like

It's strange that your ISP is forwarding private address space. So strange that I'd spend some time to figure out just where and what that router is, along with how you have access to it.

The OpenWrt firewall prevents incoming connections (except for some generally needed ICMP, DHCP, and IPv6 link-local packets) so it is unlikely that anyone "outside" can access your local network (edit: without explicitly allowing it with custom firewall rules).

I think that it is much more likely that the "rogue" device is on your network.

I would bet that you don't see 192.168.222.1 on your WAN interface if you run tcpdump.

I would also guess that the "scan" run was from a local machine, reinforcing that the rogue device is on your own network.

Getting its MAC address as well as any information about its OS would probably be helpful in physically locating the device and how it is connected.

Again. I have no physical access to this device. Perhaps this device is an ISP device as you have mentioned, but how the heck am I able to access its login page. It is microtek router and it is SSH-able too. Such a device shall not be accessible that easy. I can simply go to the web browser type 192.168.222.1 and get a login page!

My friend is an expert and he was actually able to bypass the login page. He was able to connect to other devices on the internet from this device. It is obviously a security breach. He informed the ISP about this, but they are taking no measures to solve it.

Ask your friend:

  • How he suggests that the ISP is able to not only forward private address space to a public IP (yours), but that the Mikrotik is accepting connections on its "WAN" port for its internal network from such a connection, especially as in any rational setup, that is assigned a public IP address.

  • If he has confirmed with tcpdump that the connection is, in fact, being made through your router's "WAN" interface

As for blocking, three rules for your WAN zone/interface:

  • Drop all OUTPUT with a destination address of 192.168.0.0/16
  • Drop all INPUT with a source address of 192.168.0.0/16
  • Drop all FORWARD with a source address of 192.168.0.0/16

The latter two could be combined into a single INGRESS rule, but I don't know if that is supported through LuCI.

Yes. It is not seen .But again, it is accessible just from my web browser.

True. Just from my PC at 192.168.1.150
Capture

If it is not going through your ISP connection (on the "WAN" interface), then it is not your ISP.

It is on your own network.

1 Like

How does my friend and other couple of people have the same issue? Same login page at the same IP? We share the same ISP but different regions

If tcpdump isn't showing 192.168.222.1 on your WAN interface, it is then something in your own network.

Are you running a VPN (including tunnels, IPSEC or otherwise) of any sort?

Have any devices that are supplied by another party, such as VOIP, micro-cells, IoT controllers, ... ?


What does traceroute -n 192.168.222.1 show (might be tracert on Windows)?

2 Likes

My Mistake. I am sorry, but It does show on tcpdump being access from my Public IP. So stupid that I missed it with my eyes.

traceroute to 192.168.222.1 (192.168.222.1), 30 hops max, 38 byte packets
1 41.236.117.129 22.541 ms
2 10.45.10.43 34.613 ms
3 10.37.75.2 23.429 ms
4 10.37.107.137 27.450 ms
5 10.38.15.121 31.697 ms
6 10.37.87.149 26.667 ms
7 10.38.156.134 30.679 ms
8 192.168.222.1 30.694 ms

1 Like

I'm guessing you have "DS-Lite" from that trace. You don't really have a public IPv4 address with those. All the IPv4 is behind Carrier-Grade NAT (CGNAT) and is "an illusion".

I suspect that given that all intermediate steps are private addresses.

What subnet is your WAN interface assigned to?

In that case, the three rules I outlined above should work, assuming your "public" IP address isn't in the 192.168.0.0/16 net block.

This is the given public IP address 156.204.xxx.xxx/32
My LAN network is on 192.168.1.1/24

Because it could be upstream - inside their infrastructure network. From your trace, it definitely is.

Common for WISPs.

Oh! You already know this device is in your ISP's network? OK. As long as you run a firewall on your OpenWrt, the device should not be able to access your LAN. [u[If you want to be more secure, you can also block the traffic as already noted.[/u]

Could be that this is some virtual router running at your next hop.

https://wiki.mikrotik.com/wiki/Manual:Virtualization

iptables -A OUTPUT -i eth1.2 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth1.2 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth1.2 -s 192.168.0.0/16 -j DROP

Are these rules correct? Because I am still able to access it, which shall no longer be possible!

In this context it is important to know that, while private IP ranges like 192.168.x.x can and should not be routed to the "public internet", every network outfit can decide what this "public internet" actually is, and what is considered "internal."

It is not uncommon for your ISP to not outright drop private IP ranges. Because ... it might be an IP range they use themselves. At this point, you are still not in the "public" internet, you are still in your ISP's "local network." It is slightly worrysome that you can access a host at 192.168.222.1, that means it is not properly secured/firewalled ... but that is actually not your problem.

While you can access 192.168.222.1, they are not able to access your local network. Noone outside of your local network even knows that 192.168.1.x is your local network, or where they would route requests to your 192.168.1.x hosts. All they see of your network is your external IP address. And as long as your firewall is in order (which, with OpenWrt, is the default), your network is safe from external access.

5 Likes

I agree with @takimata. You simply scanned the private 192 range and found equipment within your ISP's infrastructure. ISPs commonly use private ranges on their equipment to save their Public IP space for better usage. I'm still unsure why you think the device is reaching out to you, though.

While you seem to in fact located a vulnerable device in their infrastructure - you and your friend are actually the persons accessing a device beyond your authorization. Informing your ISP is the most ethical option you had. As long as it's not reaching out to you, it's OK (not considering it may be a vulnerable router in the path)

2 Likes

This is actually what we both had done.
Thank you for all your efforts.

1 Like