Mysterious connections from Internet to LAN

mutluit · October 24, 2023, 7:08pm

Under “/ip firewall connection print” it shows some mysterious connections from Internet to an unknown LAN address 192.168.253.3.
The list below is from the console dump (D) when in “print”, b/c file=… creates just a an empty file (just some headers, but w/o these data).
And: there are much more columns but somehow the console dump (D in print) omits the other columns.
The other columns can be seen also in WebBrowser (ie. WebFig).

$ grep -i "192\.168\.253\.3" console-dump.txt
      C     tcp  34.160.144.191:443    192.168.253.3:36794   established
      C     tcp  34.160.144.191:443    192.168.253.3:36816   established
      C     tcp  142.251.209.138:443   192.168.253.3:36830   established
      C     tcp  18.155.153.128:443    192.168.253.3:58246   established
      C     tcp  34.160.144.191:443    192.168.253.3:36836   established
      C     tcp  34.160.144.191:443    192.168.253.3:36806   established
      C     tcp  34.160.144.191:443    192.168.253.3:36804   established
      C     tcp  34.149.100.209:443    192.168.253.3:44636   established
      C     tcp  34.160.144.191:443    192.168.253.3:36800   established
      C     tcp  35.244.181.201:443    192.168.253.3:56834   established
      C     tcp  18.155.153.128:443    192.168.253.3:58242   established
      C     tcp  142.250.181.202:443   192.168.253.3:34206   established
      C     tcp  34.117.65.55:443      192.168.253.3:36454   established
      C     tcp  34.160.144.191:443    192.168.253.3:36812   established
      C     tcp  34.117.65.55:443      192.168.253.3:36470   established
      C     tcp  34.160.144.191:443    192.168.253.3:36828   established
      C     tcp  34.160.144.191:443    192.168.253.3:36810   established
      C     tcp  142.250.181.202:443   192.168.253.3:34212   established
      C     tcp  35.201.103.21:443     192.168.253.3:41058   established
      C     tcp  34.160.144.191:443    192.168.253.3:36796   established
      C     tcp  34.160.144.191:443    192.168.253.3:36818   established
      C     tcp  34.149.100.209:443    192.168.253.3:44608   established
      C     tcp  34.160.144.191:443    192.168.253.3:36820   established
      C     tcp  18.155.153.53:443     192.168.253.3:48174   established
      C     tcp  34.160.144.191:443    192.168.253.3:36784   established
      C     tcp  34.117.65.55:443      192.168.253.3:36442   established
      C     tcp  192.229.221.95:80     192.168.253.3:39552   established
      C     tcp  142.250.181.202:443   192.168.253.3:34204   established

Anybody any clue what these entries are?
I neither have such a LAN (192.168.253.0) nor that IP 192.168.253.3 How can a connection have been established? A bug in ROS ?
Router where this is observed: hAPac2 with ROS 6.47.10. This router is attached to an uplink WAN router (ISP router).

[xxxxx@yyyyy] /ip address> /ping 192.168.253.3
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                         
    0 192.168.253.3                                           timeout                                                                                                                        
    1 192.168.253.3                                           timeout                                                                                                                        
    2 192.168.253.3                                           timeout                                                                                                                        
    3 192.168.253.3                                           timeout                                                                                                                        
    4 192.168.253.3                                           timeout                                                                                                                        
    sent=5 received=0 packet-loss=100%

k6ccc · October 24, 2023, 8:21pm

First guess is that you have something you don’t think you have. Export your config and post it.
To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

nediis · October 24, 2023, 8:53pm

google, amazon …
maybe some smart speaker on the WAN side
errors in the config

mutluit · October 24, 2023, 9:07pm

I don’t have any port forwarding from the Internet to the LAN.
Does it mean the connection gets initiated from inside the LAN?

As said I have neither such a network 192.168.253.0 nor the said IP 192.168.253.3 .
Does this then mean that this IP is maybe internal on the router, ie. in ROS ?

k6ccc · October 24, 2023, 9:14pm

Yes, it could be something starting from a device on your LAN. However until you post your configuration, we are only guessing.

mutluit · October 24, 2023, 9:28pm

I just did “/ export file=my-export-all”, and searched in that file for “192.168.253”: there is nothing.
Just tell me: how else will you be able to find the reason?

I now have added 192.168.253.0/24 to my block list (that gets used in the firewall config), and have rebooted the router.
Now the said IP no longer shows up under /ip firewall connection
I’ll monitor this further.
I guess the uplink router (the WAN router of the ISP) maybe does its part too… Will check it too now…

anav · October 24, 2023, 9:36pm

As was stated, all this is opinion, because you have provided no facts.
Without a config, I wouldnt dream of wasting my time to answer.

mutluit · October 24, 2023, 9:51pm

Update:
It much looks like a routing bug on the uplink router (an AVM FritzBox “router” )…

k6ccc · October 24, 2023, 10:43pm

And a tiny piece of information leaks out - that there is an upstream router.

We’re not mind readers. We can only go on the information that YOU supply. We still don’t know what kind of router you have, what version of RouterOS you are using, or any network layout (other than now there is a FritzBox somewhere involved). Not much to go on.

And BTW, I can’t tell you number of times someone has checked their configuration and is certain that there can’t be anything wrong - only to finally post their config and various experts here come up with the actual solution in very short order. There are people here (I’m not one of them except for a few select topics) who are amazing at being able to read a configuration and find issues.

mutluit · October 24, 2023, 10:53pm

Hey @k6ccc, stop talking BS. All information was already given, you just lack to read it.
Apply some logic instead of brute-force idiocy.

Case is solved: it is the buggy uplink router of AVM: it simply has bugs when routing to more than one LAN. Ie. an ISP router for dumbos.
Now after removing the 2nd route entry in AVM router now also my other problem with packet losses is solved!

k6ccc · October 24, 2023, 10:58pm

Only in your mind. Damn near no useful information was given.

I’m done with you.

anav · October 25, 2023, 12:01am

No worries k6ccc, you were bang on!