OpenWrt router connected to 2 unfamiliar IPs?

Hi!
I have just set up an Archer C6 v2 (EU) with OpenWRT and it is connected with relayd to my main router which is running DD-WRT. The only device connected to it is a Risco security system but for some reason my DD-WRT router reports 2 outgoing requests from the OpenWRT router address - one to an IP in Switzerland and another to an IP in Germany.

The hostname of the Swiss IP is
bluewin.ch
and the hostname of the German IP is
kashra-server.com
Is it normal?

Are you running an official release or an official snapshot build of OpenWrt? What version?
What packages did you install on the router?

Can you confirm that the Risco security system itself is not responsible for the outgoing requests to those addresses (if you can disconnect the Risco system for a bit, or if you inspect the traffic to/from that device, you should be able to see what is happening)?

I am running an official release, 19.07.2.
I've installed relayd and luci-proto-relay.
I can confirm that the security system is not responsible for these connections, I've disconnected it and there were still connections to foreign IPs. I've also noticed connections to an IP in Canada (Hostname: serenity.baxterit.net)
and another IP in Germany (this time the IP was linked to Dresden University of Technology - what??)

Normally, I'd suggest that there could be configuration issue, but if there really is something being initiated via that device, it could be happening in places we aren't likely to look.

Two more ideas...

  1. Remove it form the network entirely (just unplug power) and see if the connections stop -- if they do, it is obviously something either in the router, or connecting through the router. If they don't stop, it is DD-WRT incorrectly associating some other traffic with your OpenWrt wifi relay.

  2. If it is conclusively your OpenWrt installation, reset it to defaults. Maybe even re-download the OpenWrt image directly from the downloads.openwrt.org page and re-flash. Test with the device connected as a downstream router (i.e. LAN from main router > WAN of this one; you might need to change the IP address range of the LAN). Check to see if there are outbound connections happening when the device is really just essentially idle (nothing else connected). Then add the relayd packages and see if anything changes. Complete your configuration and again, keep an eye on outbound connections (all of this time, nothing connected to the OpenWrt router). Finally, connect your security system again and see what happens.

From where do you investigating? From a PC with viruses or a clean for e. g. ubuntu linux live iso?
Unplug all other devices beside the virus free workstation and then see again.

I don't have any PCs with viruses. It's also worth noting that the Archer C60 is brand new.
@psherman Thanks, I'm gonna try it now.

A tcpdump on the main router would provide more insight on the culprit.

1 Like

I've just reset my OpenWRT router and without any packages installed I can still see traffic to unknown IPs (different IPs this time but still foreign), source is the WAN IP. I can see the traffic in both DD-WRT and in OpenWRT Realtime Graphs > Connections.

I really don't understand what's going on, it happens with a clean install too :frowning:
Any more ideas would be appreciated

I'll say it is the opkg, but if you don't run a tcpdump we won't be certain

That actually makes sense and would be reassuring if so, I was freaking out that my network might have somehow been compromised.
I'm sorry for asking a newbie question but how can I run a tcpdump with LUCI? Do I need to execute the tcpdump from a terminal emulator?

There is no tcpdump in Luci as far as I know.
If you have linux you can run it remotely on your wireshark:

ssh root@openwrt.lan tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -

Change openwrt.lan and eth1 accordingly.
Otherwise run the tcpdump on the router directly. tcpdump -i eth1 -env not port 22

1 Like

Just to confirm, you did get your build from here, right? (sysupgrade link, or factory

Try re-flashing just for good measure.

And use tcpdump + WireShark as suggested by @trendy.

I got it from here
openwrt-19.07.2-ath79-generic-tplink_archer-c6-v2-squashfs-factory.bin

NTP is also conceivable.

2 Likes

That would be my guess too.

See also https://www.robtex.com/ip-lookup/2607:5300:201:3100::ec -> supports the NTP suspicion

1 Like

Thanks guys! I was freaking out and thanks to all of you it seems like it's safe to say that NTP was the culprit.
I ran a tcpdump filtering the WAN IP and along with lots of other stuff, this came up (I can post the full tcpdump if needed)

19:22:10.408336 IP 192.168.1.139.35465 > 89.221.214.130.123: NTPv4, Client, length 48
19:22:10.499737 IP 89.221.214.130.123 > 192.168.1.139.35465: NTPv4, Server, length 48
19:22:11.501314 IP 192.168.1.139.48444 > 185.162.249.53.123: NTPv4, Client, length 48
19:22:11.501538 IP 192.168.1.139.59230 > 149.210.142.45.123: NTPv4, Client, length 48
19:22:11.501739 IP 192.168.1.139.54882 > 195.186.1.101.123: NTPv4, Client, length 48
19:22:11.578611 IP 149.210.142.45.123 > 192.168.1.139.59230: NTPv4, Server, length 48
19:22:11.579390 IP 195.186.1.101.123 > 192.168.1.139.54882: NTPv4, Server, length 48
19:22:11.584284 IP 185.162.249.53.123 > 192.168.1.139.48444: NTPv4, Server, length 48

For instance, 195.186.1.101 is the bluewin IP from Switzerland.
So.. is it time for me to calm down and start using my wireless bridge? :sweat_smile:

Also - is it possible to make the router retrieve the time from the NTP server in the country it needs instead of checking the time around the globe?

Sure, see https://openwrt.org/docs/guide-user/advanced/ntp_configuration#regional_ntp_pulls

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.