Hi!
I have just set up an Archer C6 v2 (EU) with OpenWRT and it is connected with relayd to my main router which is running DD-WRT. The only device connected to it is a Risco security system but for some reason my DD-WRT router reports 2 outgoing requests from the OpenWRT router address - one to an IP in Switzerland and another to an IP in Germany.
The hostname of the Swiss IP is bluewin.ch
and the hostname of the German IP is kashra-server.com
Is it normal?
Are you running an official release or an official snapshot build of OpenWrt? What version?
What packages did you install on the router?
Can you confirm that the Risco security system itself is not responsible for the outgoing requests to those addresses (if you can disconnect the Risco system for a bit, or if you inspect the traffic to/from that device, you should be able to see what is happening)?
I am running an official release, 19.07.2.
I've installed relayd and luci-proto-relay.
I can confirm that the security system is not responsible for these connections, I've disconnected it and there were still connections to foreign IPs. I've also noticed connections to an IP in Canada (Hostname: serenity.baxterit.net)
and another IP in Germany (this time the IP was linked to Dresden University of Technology - what??)
Normally, I'd suggest that there could be configuration issue, but if there really is something being initiated via that device, it could be happening in places we aren't likely to look.
Two more ideas...
Remove it form the network entirely (just unplug power) and see if the connections stop -- if they do, it is obviously something either in the router, or connecting through the router. If they don't stop, it is DD-WRT incorrectly associating some other traffic with your OpenWrt wifi relay.
If it is conclusively your OpenWrt installation, reset it to defaults. Maybe even re-download the OpenWrt image directly from the downloads.openwrt.org page and re-flash. Test with the device connected as a downstream router (i.e. LAN from main router > WAN of this one; you might need to change the IP address range of the LAN). Check to see if there are outbound connections happening when the device is really just essentially idle (nothing else connected). Then add the relayd packages and see if anything changes. Complete your configuration and again, keep an eye on outbound connections (all of this time, nothing connected to the OpenWrt router). Finally, connect your security system again and see what happens.
From where do you investigating? From a PC with viruses or a clean for e. g. ubuntu linux live iso?
Unplug all other devices beside the virus free workstation and then see again.
I've just reset my OpenWRT router and without any packages installed I can still see traffic to unknown IPs (different IPs this time but still foreign), source is the WAN IP. I can see the traffic in both DD-WRT and in OpenWRT Realtime Graphs > Connections.
I really don't understand what's going on, it happens with a clean install too
Any more ideas would be appreciated
That actually makes sense and would be reassuring if so, I was freaking out that my network might have somehow been compromised.
I'm sorry for asking a newbie question but how can I run a tcpdump with LUCI? Do I need to execute the tcpdump from a terminal emulator?
Thanks guys! I was freaking out and thanks to all of you it seems like it's safe to say that NTP was the culprit.
I ran a tcpdump filtering the WAN IP and along with lots of other stuff, this came up (I can post the full tcpdump if needed)
19:22:10.408336 IP 192.168.1.139.35465 > 89.221.214.130.123: NTPv4, Client, length 48
19:22:10.499737 IP 89.221.214.130.123 > 192.168.1.139.35465: NTPv4, Server, length 48
19:22:11.501314 IP 192.168.1.139.48444 > 185.162.249.53.123: NTPv4, Client, length 48
19:22:11.501538 IP 192.168.1.139.59230 > 149.210.142.45.123: NTPv4, Client, length 48
19:22:11.501739 IP 192.168.1.139.54882 > 195.186.1.101.123: NTPv4, Client, length 48
19:22:11.578611 IP 149.210.142.45.123 > 192.168.1.139.59230: NTPv4, Server, length 48
19:22:11.579390 IP 195.186.1.101.123 > 192.168.1.139.54882: NTPv4, Server, length 48
19:22:11.584284 IP 185.162.249.53.123 > 192.168.1.139.48444: NTPv4, Server, length 48
For instance, 195.186.1.101 is the bluewin IP from Switzerland.
So.. is it time for me to calm down and start using my wireless bridge?
Also - is it possible to make the router retrieve the time from the NTP server in the country it needs instead of checking the time around the globe?