8.8.8.8 connection attempts

Product Discussion
1

Hi,

I have a B One connected behind another router.

I have “device local network traffic is now managed by outbound firewall rules” set

I have a rule set to block everything to 8.8.8.8

Every 10 seconds, I see 10 blocked connection attempts to 8.8.8.8

5 attempts for WAN 1 & 5 attempts for WAN 2
(1 ICMP type 8 and 4 TCP: spt 3111, dst 443)

My setup is…
WAN 1 connects to a port on this upstream router
WAN 2 connects to a different port on this upstream router.

Different subnets, static IPs and gateways functioning.
I have my dns settings set to request from this router, and health checks are pings to the respective port addresses on this router.

All working.

Both WAN 1 & 2 are set:
always on - selected
Independent from backup wans - enabled
Bandwidth allowance monitor - disabled

On the network > wan page:
Dns over https - disabled
Wan quality monitoring - custom and nothing selected
Synergy controller - disabled
Incontrol controller - disabled

The only device I have connected to the B One at the moment is an admin pc that is ruled to block all outbound (the 8.8.8.8 connection attempts also continue if i have the admin pc physically disconnected and then I reconnect after a number of minutes and i log back in to check logs and see what happened during that time period)

DNS proxy is off & DNS forwarding is off.

Web blocking / content blocking / database update is also off.

I have had to disable event logging for my block 8.8.8.8 rule as the event log view is spammed with all these connection attempts.

Is there a setting I have missed?
Why is my router trying to connect to google?
How can I get it to stop?

Thanks in advance

2

Hi Neo,

Have you setup any VPN tunnels from the Peplink?
Time server is not using the 8.8.8.8 either, so far I know.

I think this is going to be a good one for a ticket at ticket.peplink.com, they can help you out with more detailed information and an investigation into this.

We don’t block the 8.8.8.8 in most situations, it’s a good alternative if the health checks fails to the ISP.

Hope this helps.

1 Like
3

Hi!

Without looking at your full settings and conducting a packet capture - it’s hard to say what is initiating the connections to Google’s DNS server (8.8.8.8).

I recommend taking a look at the active sessions on the B One (under Status > Active Sessions) and conducting a packet capture to verify what is source of the traffic, if it’s indeed the B One and not the admin PC.

And as Joe mentioned, if you need any help - feel free to create a ticket. We’ll definitely try to help!

Best Regards,
Aivaras

1 Like
4

Thanks for the reply.

I have managed to get the messages to stop.

From reading Excessive data usage MAX BR1 mini - Confirmed - #33 by Jonathan_Pitts

" Outbound policies, set default (at bottom ) to custom, enforced to either wan or cellular only"

I changed this default to Custom > enforced > WAN 2 port.
Changing this stopped all the 8.8.8.8 requests.

I’ve never even noticed that default setting being clickable in 4 years lol.
The odd thing is that I already have every vlan/subnet set to be enforced to a WAN port.

Eg guest vlan enforced to WAN 1 into a port on upstream router. All traffic on this port is directed out without VPN
Another subnet enforced to go out WAN 2 into a different port on opnsense and directed out through a VPN.

So with that default setting changed, I was able to roll back some of the other recommended settings. Such as WAN health check settings. For me at least, the health check settings were not causing the Balance One to send 8.8.8.8 requests.

And it is/was definitely originating from the Balance One.
Wifi is disabled completely, theres no cellular and there’s only 3 connected devices right now while I get things set up.

  1. opnsense router (which rejects the incoming 8.8.8.8 requests when not blocked at the B One)
  2. Balance One router (which I had blocking the outgoing 8.8.8.8 requests from it’s WAN 1 & 2 static IPs)
  3. a management device which is only wired (no wifi bluetooth etc) and is ruled to only allow communication to the B One on my specified web admin port and block everything else and those are higher priority rules than the block 8.8.8.8 rule.

Thanks again for your reply

1 Like
5

Hi thanks for the reply and the suggestion.

My management device never connects to the internet. I will have to download the files and transfer over on usb.

I shall do that in a while.

I checked things on my management device like
cat /etc/resolv.conf
netstat -lnptu
netstat -nputw

There’s nothing to show an 8.8.8.8 preference / setting / open port.

For info… I have gone back to Outbound Policy, I reset the “default” option back to auto. Saved & applied.

Opened the Event Log > Firewall.
Confirmed that my rule: block any any outbound to 8.8.8.8 event logs started again.
I Changed the block 8.8.8.8 rule to allow 8.8.8.8 and confirmed allow events appeared in the log

Disconnected the management device from the ethernet port and also disconnected my opnsense router from the internet. It’s just the 2 routers now and opnsense is the upstream router.

Noted the time of disconnect.
Waited 10 minutes.
Reconnected the management device.
Refreshed the Event Log > firewall page

In the B One logs…
Confirmed that 10 entries (5 for WAN 1 & 5 for WAN 2) happen every 10 seconds before the disconnect, for the whole duration of that 10 minutes and continued after reconnect.

In the opnsense logs…
I can also see these inbound requests being blocked by my opnsense firewall whilst my management device is disconnected from my B One (I have a different management device for my other router. Similar blocks on this device - only gui allowed, everything else blocked. There’s no cross pollination of devices)

So even if it was something on my management device, how would the connection requests continue whilst it is disconnected?

I then reconnected my management device, set the default option in Outbound Policy to custom > enforced (either of the WANs).

No more outbound requests to 8.8.8.8 Phew! :slight_smile:

So there is a way to stop it. But it is kinda wild that there are these hidden connection requests to 8.8.8.8 when none of my user settable fields have specified 8.8.8.8 as a destination or service provider.

Because you can have a rule “block any any 8.8.8.8”

And a person might think this rule is stopping everything going to 8.8.8.8

But if “enable Outbound Firewall to manage device local network traffic” is disabled, there will be no mention of blocks in the logs so the blocks must not be happening. This is a system event/policy that normally happens before the outbound rules take effect?

It was only when I enabled “enable Outbound Firewall to manage device local network traffic” that I became aware of these connections to 8.8.8.8 (or if you have an upstream device I suppose).

Thanks again

6

I see, great that you found a way to stop it. The default outbound policy algorithm is “Lowest Latency”, thus the device could be using 8.8.8.8 as a latency checking marker.

Though on the outbound firewall rules - if you read the tooltip next to it, you’ll see that these rules don’t apply to traffic originating from the router itself.

1 Like