NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Log shows internet connected (WAN side) to private network?
Yesterday's emailed log file shows that the WAN side connected to a private network IP address 22 times in the span of about eight minutes. Here's a portion of the log entries:
[Internet connected] IP address: 184.166.*.*, Friday, Jun 09,2017 03:13:46 (masked real WAN side IP)
[Internet disconnected] Friday, Jun 09,2017 03:13:39
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:13:11
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:12:56
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:12:39
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:12:23
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:12:07
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:11:51
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:11:35
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:11:19
[Internet connected] IP address: 192.168.100.10, Friday, Jun 09,2017 03:11:03
...
I've been reading these logs for years and have never seen this activity before -- should I be concerned? Have I been hacked? I don't understand how an attempt to connect to the internet could connect to a private, non-routable IP address like that.
Hi RoaldOines,
What I meant by bridge mode is disabling the DHCP/router functionality of the gateway and letting it function as modem only (will not give out a private IP [192.168.100.10]).
Regards,
Dexter
Community Team
6 Replies
Hi RoaldOines,
1. What is the firmware version of the router?
2. What is the LAN IP that you have set for your network?
3. Is the router connected to a mode-router (gateway) or a stand-alone modem?
4. This is possibly during the boot up process only.
Regards,
Dexter
Community Team
Hi Dexter,
Thanks for the reply.
The firmware version is V1.0.4.8_10.0.77; the LAN IP is 192.168.1.1 (subnet mask 255.255.255.0); the router's connected to a Cisco cable modem model DPC3216 with an IP of 192.168.100.1 (noting the repeated internet connects in the log to 192.168.100.10).
When you say that it's possible only during the boot up process, are you referring to the cable modem's boot up or the R6300v2's boot up?
And this brings to mind something I've been wondering about for a while now: The R6300v2's logs used to attempt to identify the type of "attack" but now where the type used to be it just says "(null)" and gives a large negative integer, for example:
[DoS attack: (null)] (-1085517592) attack packets in last 20 sec from ip [192.168.1.199], Tuesday, Jun 06,2017 11:22:18 (most times the offending IP is not a non-routable one, but I assume those can be faked).
It's like there's a translation table missing in the firmware...
Hi RoaldOines,
I am referring to the boot up of the R6300v2. Does this behavior persist if you have the gateway set to bridge mode?
Regards,
Dexter
Community Team
Hi Dexter,
Thanks for the reply. Actually I haven't seen that original behavior (the R6300v2 connecting to the non-routable address on the WAN side) since that one time, so it hasn't persisted. And sorry, I don't know what "bridge mode" is.