G3100 Firewall Warning Message - Suspect IP Addresses

Praetorius

Troubleshooting a problem with wi-fi dropping on one device I checked the Firewall messages on my G3100. I saw Warning messages with suspect IP addresses the piqued my curiosity.

I am seeing a Warning message hundreds of times from two IP addresses. The sample below has a SRC IP address that is German. I'm concerned because as far as I know there is no reason for a device on my network be to routinely getting messages from a German IP address. I am also seeing the same error message code with a French IP address in the message.

The warning message says the packet is illegal. I'm not concerned about that. My concern is about the SRC. Do I have malware on some device? If so, how do I track down the device and the software that is the destination of the messages? Can I create a firewall rule to block these IPs?

The first MAC address in the long string after MAC looks like the MAC of my G3100. I don't understand why there are so many hex digits following that. Are these MAC addresses of what device?

Time	Event-Type	Log Level	Details
2020 Dec 27 11:48:01	kernel	warning	[FW] IPTABLES [Pkt_Illegal] IN=eth4.untag0 OUT= MAC=b8:f8:53:60:5c:f0:f4:b5:2f:05:a8:c7:08:00:45:00:00:28:00:00:40:00:36:06:07:b7:5f:d8:20:94 src=95.216.32.148 DST={edited for privacy} LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=80 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0 MARK=0x8000000

Cang_Household

When you say "WiFi dropping," do you mean the WiFi icon disappears on your mobile device? OR, the WiFi icon stays while the Internet connection goes out? If it is the former, that is indicative of a data-link connection problem. It may due to the access point built-into the G3100.

Illegal packets mean that the IP packet is malformed. The router drops the packet because it is useless. It does not rule out the possibility that an attacker deliberately manipulates IP packet to perform an attack. By default, the Firewall on your G3100 should be in the Medium Level, blocking all incoming traffic unless excepted in the Port Forward, Port Triggering, Remote Administration, DMZ, or TR-069. It should be robust enough to shield unwanted visitors.

The MAC address is weird. The first 6 octets shows the G3100 is made by Arcadyan. It makes sense because G3100 is made by Arcadyan. The second 6 octets shows the upstream device of your router is made by Juniper Networks. This makes sense too because Verizon's layer 3 network, immediately after the OLT, is using Juniper Networks routers. Then, what proceeds after that is probably unexplainable. Layer 2 addresses (MAC address) should not travel beyond a single network segment unless using some sort of layer 2 tunneling.

G3100 can log all outbound connections. You can check "Accepted Outgoing Connections" in the Firewall logging settings. G3100, however, cannot log all inbound connections for some reason. It can only log illegal packets.

Lastly, do not share your public IP address. That is dangerous and essentially telling the hackers that: hey, this is my IP address. You can change your public IP address by going to Broadband connection > Settings > Release > wait for 60 seconds. The Juniper Router in the central office should assign you a new IP.