Community discussions

MikroTik App
 
78151920
just joined
Topic Author
Posts: 15
Joined: Tue Nov 16, 2021 12:17 am

Rogue IP on Lan?

Fri Dec 10, 2021 1:12 am

Hello,

I am looking for some guidance on how to isolate what may appear to be a rogue IP/Client lingering in my network.

My DHCP network is configured as the following:
172.20.30.0/25

IP Pool is configured as:
172.20.30.10-172.20.30.100

On my Firewall/Connections, I am seeing multiple source clients on the LAN attempting to reach what appears to be the following ip/port within my network.

172.20.30.127:137
172.20.30.127:138

Examples below:
/ip firewall connection> print
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 #          PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS      ORIG-BYTES      REPL-BYTES
 
125    C     udp      172.20.30.96:138      172.20.30.127:138                 3s               0bps      0bps            2            0             440               0
126    C     udp      172.20.30.96:137      172.20.30.127:137                 3s               0bps      0bps            4            0             312               0
343    C     udp      172.20.30.57:59957    172.20.30.127:15600               8s               0bps      0bps            1            0              63               0
198    C     udp      172.20.30.57:33124    172.20.30.127:15600               3s               0bps      0bps            1            0              63               0
102    C     udp      172.20.30.20:137      172.20.30.127:137                 3s               0bps      0bps            1            0              96               0

Given that NetBIOS operates on 137/138, I thought to myself, could there be something bigger going on here given that the destined IP of 172.20.30.127 does not exist on my IP pool? I went as far as disabling NetBIOS on my network by adding a DHCP option below and applying it to my dhcp network configuration to no resolve. The option appears to be functioning, but the requests continue on my firewall. I may be taking the wrong approach here but would appreciate anyone's input.
.
.
/ip dhcp-server option> print
 # NAME                                                          CODE VALUE                                                          RAW-VALUE                                                         
 0 microsoft-disable-netbios-option                                43 0x010400000002                                                 010400000002     
Last edited by 78151920 on Fri Dec 10, 2021 2:02 am, edited 1 time in total.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Rogue IP on Lan?

Fri Dec 10, 2021 1:47 am

Not really rogue IP. In the 172.20.30.0/25 network, 172.20.30.127 is the broadcast address. (Like 172.20.30.255 is for a 172.20.30.0/24 network)

So your devices are playing NBT (Netbios over TCP).ports 137/138/139 are in use for that. Newer window SMB protocol use port 455.
With "playing" I mean they are trying to find all Netbios Names in the network. They will also elect a "Netbios master browser".
There is a lot of broadcast to do that, unless there is a WINS server defined. (WINS server is a legacy software for resolving Netbios Names as DNS does for IP Host names.)
Samba on Linux is also using Windows SMB protocol.


To disable Netbios (over TCP) you must set this in all client devices and servers (or in an enterprise network if you have a windows AD server setting can be pushed by group policies)

Even sending out that option over DHCP, still needs the clients to be set for listening/using for that option : https://docs.microsoft.com/en-us/troubl ... using-dhcp
Stopping 137 and 138 at the firewall is OK. (broadcast is normally not forwarded anyway). Don't send it to the WAN , makes no sense.
 
78151920
just joined
Topic Author
Posts: 15
Joined: Tue Nov 16, 2021 12:17 am

Re: Rogue IP on Lan?

Fri Dec 10, 2021 2:01 am

Makes sense, thanks for the clarification!

Who is online

Users browsing this forum: Rox169 and 32 guests