Where weird connections coming from to my Keenetic 4g III router?

Metafalica
Metafalica Posts: 3  Freshman Member
edited January 2020 in Smart Home Product
Hello. I have this router and it has only 3 cables connected:
Power cable
WAN (ISP ethernet cable)
LAN1 cable which comes into my PC

Router's WiFi is disabled.

In network tab I see some weird device connects and disconnect every minute.

And my log flooded with this weird messages:
<div>Jan 16 14:22:07 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:22:07 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:22:09 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:22:09 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:22:13 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:22:13 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:23:17 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:23:17 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:23:19 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:23:19 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:23:23 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:23:23 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:24:27 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:24:27 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:24:29 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:24:29 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:24:33 ndhcps _WEBADMIN: DHCPDISCOVER received  from c4:a8:1d:41:ea:ef.

</div><div>Jan 16 14:24:33 ndhcps _WEBADMIN: making OFFER of 192.168.1.72 to c4:a8:1d:41:ea:ef.</div>
For me it seems like someone from that IP tryies to enter my router web interface.

I execute "ipconfig /all command" and don't see the device with c4:a8:1d:41:ea:ef MAC address at all.
Microsoft Windows [Version 10.0.18362.535]
(c) Корпорация Майкрософт (Microsoft Corporation), 2019. Все права защищены.
C:\Users\kosmo>ipconfig /all
Настройка протокола IP для Windows

   Имя компьютера  . . . . . . . . . : Aquaelie
   Основной DNS-суффикс  . . . . . . :
   Тип узла. . . . . . . . . . . . . : Гибридный
   IP-маршрутизация включена . . . . : Нет
   WINS-прокси включен . . . . . . . : Нет

Адаптер Ethernet Ethernet:

   DNS-суффикс подключения . . . . . :
   Описание. . . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC
   Физический адрес. . . . . . . . . : 00-E0-4C-B0-57-9D
   DHCP включен. . . . . . . . . . . : Да
   Автонастройка включена. . . . . . : Да
   Локальный IPv6-адрес канала . . . : fe80::28f2:3a4c:460d:dea8%14(Основной)
   IPv4-адрес. . . . . . . . . . . . : 192.168.1.50(Основной)
   Маска подсети . . . . . . . . . . : 255.255.255.0
   Аренда получена. . . . . . . . . . : 16 января 2020 г. 10:15:55
   Срок аренды истекает. . . . . . . . . . : 16 января 2020 г. 18:14:17
   Основной шлюз. . . . . . . . . : 192.168.1.1
   DHCP-сервер. . . . . . . . . . . : 192.168.1.1
   IAID DHCPv6 . . . . . . . . . . . : 100720716
   DUID клиента DHCPv6 . . . . . . . : 00-01-00-01-22-AB-FA-9B-00-E0-4C-B0-57-9D
   DNS-серверы. . . . . . . . . . . : 192.168.1.1
   NetBios через TCP/IP. . . . . . . . : Включен

Адаптер Ethernet VMware Network Adapter VMnet1:

   DNS-суффикс подключения . . . . . :
   Описание. . . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
   Физический адрес. . . . . . . . . : 00-50-56-C0-00-01
   DHCP включен. . . . . . . . . . . : Нет
   Автонастройка включена. . . . . . : Да
   Локальный IPv6-адрес канала . . . : fe80::9c90:af97:ef96:8d5f%10(Основной)
   IPv4-адрес. . . . . . . . . . . . : 192.168.48.1(Основной)
   Маска подсети . . . . . . . . . . : 255.255.255.0
   Основной шлюз. . . . . . . . . :
   IAID DHCPv6 . . . . . . . . . . . : 50352214
   DUID клиента DHCPv6 . . . . . . . : 00-01-00-01-22-AB-FA-9B-00-E0-4C-B0-57-9D
   DNS-серверы. . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBios через TCP/IP. . . . . . . . : Включен

Адаптер Ethernet VMware Network Adapter VMnet8:

   DNS-суффикс подключения . . . . . :
   Описание. . . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
   Физический адрес. . . . . . . . . : 00-50-56-C0-00-08
   DHCP включен. . . . . . . . . . . : Нет
   Автонастройка включена. . . . . . : Да
   Локальный IPv6-адрес канала . . . : fe80::e1d1:5f60:e09:1058%11(Основной)
   IPv4-адрес. . . . . . . . . . . . : 192.168.21.1(Основной)
   Маска подсети . . . . . . . . . . : 255.255.255.0
   Основной шлюз. . . . . . . . . :
   IAID DHCPv6 . . . . . . . . . . . : 184569942
   DUID клиента DHCPv6 . . . . . . . : 00-01-00-01-22-AB-FA-9B-00-E0-4C-B0-57-9D
   DNS-серверы. . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBios через TCP/IP. . . . . . . . : Включен

I fill strange about it. Maybe I caught some smart virus or somethink like that? Routers can be hacked, that's no news.



#Others_Jan_2020

All Replies

  • Mijzelf
    Mijzelf Posts: 2,600  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2020
    DHCPDISCOVER received  from c4:a8:1d:41:ea:ef
    According to it's MAC address that's D-Link device. Does that help?
  • Metafalica
    Metafalica Posts: 3  Freshman Member
    Hm, I don't have any D-Link devices in my home.
  • Mijzelf
    Mijzelf Posts: 2,600  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    And you have only one cable from your PC to LAN1, and one cable from upstream in WAN, and that's all?
    That logmessage is repeating each 3/4 seconds. Does that continue if you disconnect WAN?
  • Metafalica
    Metafalica Posts: 3  Freshman Member
    And you have only one cable from your PC to LAN1, and one cable from upstream in WAN, and that's all?
    That's totally right.

    Today I made more experiments and found in router's connections tab that same IP. It looks like the router connects to it on his own, so it's not coming from my PC.

    Later I tried to unplug WAN cable and this weird messages in log stopped. Once I plugged WAN again it appeared again.

    Then I enabled WiFi, unplugged LAN1 cable (my PC) and connected to router from laptop via WiFi. That weird messages were still coming.

    So... looks like this comes from my ISP provider and there is nothing to worry about?
  • Mijzelf
    Mijzelf Posts: 2,600  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    So... looks like this comes from my ISP provider and there is nothing to worry about?

    Indeed. I think your ISP doesn't isolate the clients on that network segment, and that someone connected a D-Link router to his internet connection on the same segment, which is trying to get a WAN IP address by DHCP, while your ISP uses PPPoE. That request somehow leaks into your LAN, and is answered, but the answer doesn't 'leak out' back, and so that router keeps trying.

Consumer Product Help Center