Router client with IP of 100.115.92.1 and no MAC address. What the heck?

Michael234 · June 14, 2020, 5:05pm

Surf SOHO MK3 running firmware 7.1.2.

On June 13, 2020 the Daily Bandwidth report showed a LAN client with an IP address of 100.115.92.1 and a blank MAC address. Screen shot below.

Looking at the Monthly Bandwidth report for May 2020, same thing, as shown below.

Any guesses what this is? ipinfo.io calls it a bogon. iplocation.net refers to RFC6598.

Is it just me? Anyone else see this in their Monthly Bandwidth report?

TK_Liew · June 14, 2020, 8:00pm

@Michael234, can you help to open ticket for us to take a closer look? We would like to investigate where this IP came from. Please attention the ticket to me.

Thanks.

Michael234 · June 15, 2020, 1:08pm

OK will do.
FYI: I created an outbound firewall rule to log any traffic from this IP address. We’ll see if it catches anything …

thebigbeav · June 16, 2020, 8:11pm

Do you have Chromebooks with Android apps on your network?

Michael234 · June 17, 2020, 11:30am

Yes there are Chromebooks with Android apps. Why do you ask?

thebigbeav · June 17, 2020, 1:17pm

That’s what’s causing those IP addresses and MAC address to show up.

github.com/aaronjwood/PortAuthority

Issues/considerations w/ running on Android on Chromebooks

opened 06:04AM - 10 Jul 17 UTC

fat-tire

enhancement

On Chromebooks, Android can have its own bridged network interface with an IP no…t assigned by the router. For example, on the Chromebook Pro, Android uses br0 set at 100.115.92.1 -- and when you try to portscan behind a NAT, you see this, which unless this is ipv6 seems like way too many hosts, no? ![screenshot](https://i.imgur.com/fNL9Wij.png) It does correctly detect the WAN IP and the LAN IP is correct too. I tried manually scanning 192.168.1.1 but though it said there 1024 hosts, it seemed to freeze when scanning. Thoughts?

https://www.reddit.com/r/k12sysadmin/comments/d2cyvu/weird_chromebook_address_100115921/

Michael234 · June 17, 2020, 5:58pm

Well well well. Interesting. Thanks.

I just tested a Chromebook with Android apps and the unusual IP address did not appear anywhere in the router. That doesn’t make the earlier observations wrong. It could be that it only happens sometimes. Or that ChromeOS has changed over time.

Michael234 · October 23, 2020, 3:32pm

Update: this IP still appears whenever I use a Chromebook. I have created a firewall rule that blocks it and logs it. Last tested with firmware 8.1.

stego · October 23, 2020, 4:26pm

Then, finally, create another rule at the very bottom (this must be the last one) that denies and logs everything. The only way the last rule gets hit is if a chunk of data tried to leave your LAN and the source IP address is not what it is supposed to be. Call the rule NotMyLAN, leave the Protocol at Any, the Source at Any Address and the Destination at Any Address. Change the Action to Deny and turn on logging. Why even consider such a remote possibility? It has happened to me. Long story. (added June 2020)

Is this firewall rule you mentioned in your SOHO configuration page apply to this situation?

Michael234 · October 23, 2020, 7:35pm

Yes and no. Twice I have seen IP addresses that were not from my LAN or any of my VLANs try to leave the router. The rules I wrote on the website catch both cases. But 100.115.92.1 is so strange, I made a rule at the top of the outbound fw rule list just for it. It consistently happens when I use a Chromebook and I have not noticed anything break on the Chromebook by blocking these data transmissions.