NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NightHawk R7800 Router is Assigned two IPs
Hi All, I just ran an nmap scan of a network and noticed the router is assigned two IPs (10.0.0.1 and 10.0.32.1) Scanning open ports on 10.0.0.1 shows there a couple extra ports open compared to...
Which of the two addresses does fit into your LAN TCP/IP subnet? Post a screenshot of the Advanced home - in case that IP does show up. Here the Nighthawk is connected to a WWAN (LTE) mobile provider, assigning RFC1918 addresses (yes, nowadays we can consider this as abuse of these IP addresses - but I'm not interested to hunt Swisscom):
The other suspicion is that the other IP does belong to the OpenVPN related tun0 interface - that's the IP used for a many2one NAT for OpenVPN clients accessing the router via the NATed tun(not the bridged tap). Unfortuantely, this IP is nowhere visible in the Nighthawk Web UI. Different LAN subnet here than on your router - but you are a Linux person and get the idea:
This address is also accessible from the LAN, e.g. by using a Web browser:For your comparison:
# nmap 192.168.10.254Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-06 11:54 Mitteleuropõische Sommerzeit
Nmap scan report for 192.168.10.254
Host is up (0.0027s latency).
Not shown: 983 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
548/tcp open afp
631/tcp open ipp
3333/tcp open dec-notes
5555/tcp open freeciv
8081/tcp open blackice-icecap
8200/tcp open trivnet1
10000/tcp open snet-sensor-mgmt
20005/tcp filtered btx
49152/tcp open unknown
49153/tcp open unknown
MAC Address: A0:04:60:xx:xx:xx (Netgear)Nmap done: 1 IP address (1 host up) scanned in 4.59 seconds
# nmap 192.168.11.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-06 11:54 Mitteleuropõische Sommerzeit
Nmap scan report for 192.168.11.1
Host is up (0.0027s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
548/tcp open afp
631/tcp open ipp
3333/tcp open dec-notes
5555/tcp open freeciv
8081/tcp open blackice-icecap
8200/tcp open trivnet1
20005/tcp filtered btxNmap done: 1 IP address (1 host up) scanned in 4.89 seconds
Yeah, that's what I initally thought - the only problem is that, the IP leads back to the gateway (same admin credentials, settings, etc..)
So when I go to 10.0.32.1, it takes me to same admin console with all the same settings as my 10.0.0.1 console.
Even if somone is spoofing my network, then how did they get my admin creds and why leave it with the same user/pass?
shiftctrl wrote:
Even if somone is spoofing my network, then how did they get my admin creds and why leave it with the same user/pass?
What evidence do you have that this might be happening?
Be a sport, tell us what the modem is in front of your router. Then we can begin to see if the first theory is, as a suspect, a more likely explanation.
It is all too easy to get sucked into complicated theories and interpretations when the answer is staring you in the face.
The modem is a Motorola SURFboard SB6121
Apologies, I made a typo earlier. I meant to say- 10.0.32.1 leads back to the first router (not gateway).
In reality that was a poor choice of words, since technically it's not "leading" back, rather it’s a web portal at that IP. I'm able to log in to the router’s web portal using either 10.0.0.1 and/or 10.0.32.1
If it was a second router (one which I hadn’t setup), all the creds and settings would be different.