Many routers report LAN activity to the manufacturer and the fact that Peplink does not (outside of InControl2) is a great thing. To verify this, I recently audited outbound connections made by a 2nd generation Surf SOHO running firmware 8.0.2 build 3612 while no clients were connected to the router. The audit turned up two things I can not explain.
- Why did the router contact IP address 126.96.36.199?
It is not for the time of day. It is not for WAN Quality monitoring. It is not a Health check. InControl2 is disabled. I did not hit the Check for Firmware button (System -> Firmware). Here is the log entry:
Mar 22 03:10:02 Allowed MAC=00:1a:dd… SRC=192.168.x.x DST=188.8.131.52
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=12571 DF PROTO=TCP SPT=49005 DPT=443
WINDOW=5600 RES=0x00 SYN URGP=0 MARK=0x2
The IP address belongs to Cloudflare. According to Shodan
it seems to be a Peplink server, but the Content Security Policy mentions Facebook and Google Analytics and port 8443 seems to belong to Oil & Gas Information Systems (ogpro.com).
Why is the router making contact with this server?
- The second issue is what the router is NOT doing: I see no DNS Health Check requests.
Health checking is configured to do DNS lookups to 184.108.40.206 and 220.127.116.11 (Cloudflare) every 30 minutes. The audit ran for many hours and I did not see any outbound requests to either of these IP addresses. The firewall rule used for auditing logged any protocol, to any destination from a single IP address.
Backing up, the router being audited (inner router) has its WAN port connected to a LAN port of another Surf SOHO (outer router). The audit was run on the outer router. Could it be that the outer router satisfied the DNS Health Check requests on its own and thus did not log the DNS request from the inner router?
Changed from DNS to Ping for health check and everything works as expected.
I switched the audited router back to using DNS for Health Checking to 18.104.22.168 and 22.214.171.124. And, I added an outbound firewall rule on the audited router that logs anything going out to 126.96.36.199. Nothing appeared in the Event Log of the audited router.
Perhaps DNS requests from the Health Check function are not logged? Still, that would not explain why the other router (outer one) never saw them.
Next, I changed Health Checking to include public DNS servers and I added a log of all outbound UDP requests to port 53. Still, nothing was being logged on the audited/inner router.
The Event Log itself is not the problem, I do see the “changes applied” entries
With the DNS lookup scheduled for every 5 seconds, I used the support.cgi page on the inner/audited router to do a pcap trace of all the bits for about 30 seconds. As these screen shots show, queries are being made to one.one.one.one and responses are being received.
Is this working as it should?
QUERIES TO 188.8.131.52
RESPONSES FROM 184.108.40.206