Reply

192.168.0.3 firewall block?

cabcad
Aspirant

192.168.0.3 firewall block?

Hello, I have a WNDR3400 that is behind a hardware firewall. I am looking at the firewall logs and see a block occurring 3 time per minute.

Src IP:192.168.2.2 Port:63084 (my WNDR3400)
Dest IP:192.168.0.3 Port:161 (what is this?)
Proto:UDP Len:106


I have nothing on the network 192.168.0.3, what is it? It won't respond to ping, so I can't find out what the router is trying to access. Can someone help me find out what the router is trying to communicate with at 192.168.0.3? I read in the form that is a normal xbox IP, but I don't have an xbox or anything like it.

Thank you!
Message 1 of 10
jmizoguchi
Virtuoso

Re: 192.168.0.3 firewall block?

some malware possible
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 2 of 10
cabcad
Aspirant

Re: 192.168.0.3 firewall block?

OK. you mean there may be malware on a PC behind the router and the malware is sending out that request? I did a full system scan with Avast and found nothing. Do you have a suggestion what to do?

I will mention that the requests are on the clock 3 times a minute to the second. Here is a sample.

Jun 27 16:40:56 In: br0 -> Out: nas1 Blocked
Src IP:192.168.2.2 Port:63084
Dest IP:192.168.0.3 Port:161
Proto:UDP Len:10

Jun 27 16:40:46 In: br0 -> Out: nas1 Blocked
Src IP:192.168.2.2 Port:63084
Dest IP:192.168.0.3 Port:161
Proto:UDP Len:106


Jun 27 16:40:36 In: br0 -> Out: nas1 Blocked
Src IP:192.168.2.2 Port:63084
Dest IP:192.168.0.3 Port:161
Proto:UDP Len:106
Message 3 of 10
jmizoguchi
Virtuoso

Re: 192.168.0.3 firewall block?

try disable upnp in the router GUI
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 4 of 10
cabcad
Aspirant

Re: 192.168.0.3 firewall block?

Hi, Yes I have UPnP disabled in the wireless router, gateway/firewall, and in the PC.

The traffic is definitely coming from the PC. I shut down each network device one at a time to isolate, and found it was the PC.

I also did a full scan with SpyBot Search & Destroy, found nothing.

How to find what is trying to access 192.168.0.3, three times per minute.....
Message 5 of 10
Mars Mug
Virtuoso

Re: 192.168.0.3 firewall block?

cabcad wrote:
I have nothing on the network 192.168.0.3, what is it? It won't respond to ping, ...


Temporarily set a static IP on the PC e.g. 192.168.0.99 (assuming 99 is not used) with a mask of 255.255.255.0, gateway and DNS can be left blank. You may then get a response to pings.

cabcad wrote:
I read in the form that is a normal xbox IP, but I don't have an xbox or anything like it.


With an X-Box set for DHCP, it will take whatever IP is allocated. The IP address 192.168.0.3 will only be the perceived ‘normal’ IP because many routers use the 192.168.0.x subnet (with a router IP of 192.168.0.1), people have one PC which typically gets powered on first (with 192.168.0.2), so the X-Box gets 192.168.0.3.

On the ‘suspect’ PC, you could install Microsoft Network Monitor (free from Microsoft!) and set a filter for 192.168.0.3, or just free-run record, there should not be too much traffic to check through.

Do you perhaps have some left over port forwarding rules in the router? Have you at any time used a saved configuration file from an older Netgear router? Netgear used the 192.168.0.x subnet with older routers several years ago.
Message 6 of 10
fordem
Mentor

Re: 192.168.0.3 firewall block?

Based on the limited detail provided ...

Port 161 is used by SNMP - Simple Network Management Protocol - the source address is the WNDR3400, so the packets are being sent by the WNDR3400 (or another device behind it) to an unknown device at 192.168.0.3.

IF the WNDR3400 supports SNMP, it may have at some point been configured to send trap messages to a management station at 192.168.0.3, and is still trying to do so.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 7 of 10
cabcad
Aspirant

Re: 192.168.0.3 firewall block?

Guys, I got it figured out.

I ran Wireshark and saw that it was polling an SNMP service. A Google search found a Microsoft Technet Article about the print spooler polling non present network printers. So I went to my printers and devices, and found that there was an unused printer port at 192.168.0.3.

I deleted the port, and now the firewall is quiet.

Thanks for all you suggestions. This is my first time on the Netgear forums and you guys are great. 😉


Technet article that helped me:

http://social.technet.microsoft.com/Forums/windows/en-US/554d78af-6c5c-4695-b577-dd39151d0868/answer...
Message 8 of 10
cabcad
Aspirant

Re: 192.168.0.3 firewall block?

Mars Mug wrote:
On the ‘suspect’ PC, you could install Microsoft Network Monitor (free from Microsoft!) and set a filter for 192.168.0.3, or just free-run record, there should not be too much traffic to check through.



Thanks for the tip! I always used Wireshark, but I'll check this out.
Message 9 of 10
jmizoguchi
Virtuoso

Re: 192.168.0.3 firewall block?

Great...... enjoy
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 10 of 10
Discussion stats
  • 9 replies
  • 12989 views
  • 0 kudos
  • 4 in conversation
Announcements

Orbi WiFi 6E