cboettcher 0 Posted ... Background: I connect to AirVPN servers via an openvpn client (v2.4.4) from the command line (though this also happens when I use the AirVPN hummingbird client) from behind a router running OpenWRT. Lately, I've been seeing the following in my syslog: Aug 8 17:16:28 Deluxe kernel: [12972.603549] IPv4: martian source 192.168.1.100 from 34.210.182.212, on dev eno1 Aug 8 17:16:28 Deluxe kernel: [12972.603572] ll header: 00000000: d0 17 c2 ac 64 4b c4 e9 84 48 79 32 08 00 ....dK...Hy2.. Aug 8 17:16:28 Deluxe kernel: [12972.910801] IPv4: martian source 192.168.1.100 from 34.210.182.212, on dev eno1 Aug 8 17:16:28 Deluxe kernel: [12972.910822] ll header: 00000000: d0 17 c2 ac 64 4b c4 e9 84 48 79 32 08 00 ....dK...Hy2.. Aug 8 17:16:28 Deluxe kernel: [12973.230932] IPv4: martian source 192.168.1.100 from 34.210.182.212, on dev eno1 Aug 8 17:16:28 Deluxe kernel: [12973.230953] ll header: 00000000: d0 17 c2 ac 64 4b c4 e9 84 48 79 32 08 00 ....dK...Hy2.. The first MAC address in the `ll header` line is my NIC, the second is an ethernet interface on the router. My route table looks like this before connecting: [2020-08-08 ☱ 18:35 ☴ .ovpn]$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eno1 10.171.32.0 0.0.0.0 255.255.255.0 U 0 0 0 lxdbr0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1 And it looks like this after shortly after connecting: [2020-08-08 ☱ 18:35 ☴ iptables]$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.28.169.1 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eno1 10.28.169.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 10.171.32.0 0.0.0.0 255.255.255.0 U 0 0 0 lxdbr0 128.0.0.0 10.28.169.1 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1 184.75.221.178 192.168.1.1 255.255.255.255 UGH 0 0 0 eno1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1 The host IP listed second from the bottom is the VPN gateway. After three to five minutes, martian traffic will die down and appear infrequently. I've tested connecting via openvpn without the router in place (connected directly to my modem) and the same occurs. I'm going out on a limb here, but it seems like, when there's an abrupt change in routing (as occurs with a VPN connection) existing connections persist and are flagged. Over time, these connections die off. Question: Is my understanding correct, or should I be doing something to avoid "martian" traffic, either via iptables or direct route manipulation? Quote Share this post Link to post
Flx 76 Posted ... 1 hour ago, cboettcher said: Is my understanding correct, or should I be doing something to avoid "martian" traffic, either via iptables or direct route manipulation? Do you have any Iphone/Tablets devices connected to the ISP modem primary WiFi? If you do connect them to Guest V-mode WiFi. Reconnect and See if this "martian packets" happens. Similar case scenario--->>>https://forums.openvpn.net/viewtopic.php?f=4&t=28111&sid=badb8b86ad6b858dc8b25d6864b208be Quote Hide Flx's signature Hide all signatures Guide - EMBY Block ALL interfaces except tap/vpn Windows OS - Configuring your operating system Windows OS - Multi Session/Tunnel Share this post Link to post
cboettcher 0 Posted ... Hi, Flx. Thanks for the reply. I do have phones and laptops connected to the router via wireless (and wired) interfaces, but the traffic that I'm seeing is reported within a log that's on a node in the local network (a desktop, whose IP is 192.168.1.100) and not a router. Quote Share this post Link to post
Flx 76 Posted ... 2 hours ago, cboettcher said: After three to five minutes, martian traffic will die down and appear infrequently. I've tested connecting via openvpn without the router in place (connected directly to my modem) and the same occurs. I'm going out on a limb here, but it seems like, when there's an abrupt change in routing (as occurs with a VPN connection) existing connections persist and are flagged. Over time, these connections die off. Do you have the routing table when you connect directly to the ISP modem can you please post that? Quote Hide Flx's signature Hide all signatures Guide - EMBY Block ALL interfaces except tap/vpn Windows OS - Configuring your operating system Windows OS - Multi Session/Tunnel Share this post Link to post
cboettcher 0 Posted ... I connected the desktop to the modem directly, as before, and then did the following: [2020-08-08 ☱ 23:13 ☴ iptables]$ sudo cp /etc/network/interfaces /etc/network/interfaces.bkup [2020-08-08 ☱ 23:27 ☴ iptables]$ vim /etc/network/interfaces #changing relevant interface to dhcp to get IP from ISP [2020-08-08 ☱ 23:28 ☴ iptables]$ sudo ip route flush table main [2020-08-08 ☱ 23:29 ☴ iptables]$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface [2020-08-08 ☱ 23:29 ☴ iptables]$ sudo ifdown eno1 RTNETLINK answers: No such process Internet Systems Consortium DHCP Client 4.3.5 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/eno1/d0:17:c2:ac:64:4b Sending on LPF/eno1/d0:17:c2:ac:64:4b Sending on Socket/fallback DHCPRELEASE on eno1 to 192.168.1.1 port 67 (xid=0x3d1afa46) send_packet: Network is unreachable send_packet: please consult README file regarding broadcast address. dhclient.c:2864: Failed to send 300 byte long packet over fallback interface. [2020-08-08 ☱ 23:29 ☴ iptables]$ sudo ifup eno1 Internet Systems Consortium DHCP Client 4.3.5 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/eno1/d0:17:c2:ac:64:4b Sending on LPF/eno1/d0:17:c2:ac:64:4b Sending on Socket/fallback DHCPDISCOVER on eno1 to 255.255.255.255 port 67 interval 3 (xid=0x871abd5f) DHCPDISCOVER on eno1 to 255.255.255.255 port 67 interval 8 (xid=0x871abd5f) DHCPDISCOVER on eno1 to 255.255.255.255 port 67 interval 9 (xid=0x871abd5f) DHCPREQUEST of <ip address> on eno1 to 255.255.255.255 port 67 (xid=0x5fbd1a87) DHCPOFFER of <ip address> from 10.246.16.1 DHCPACK of <ip address> from 10.246.16.1 cmp: EOF on /tmp/tmp.1E6p2z0glz which is empty bound to <ip address> -- renewal in 1640 seconds. [2020-08-08 ☱ 23:29 ☴ iptables]$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 <isp gateway> 0.0.0.0 UG 0 0 0 eno1 <isp network> 0.0.0.0 255.255.255.0 U 0 0 0 eno1 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1 And the traffic in the log looks like this: │Aug 8 23:30:44 Deluxe kernel: [19586.154497] IPv4: martian source 209.42.140.126 from 209.42.140.1, on dev eno1 │Aug 8 23:30:44 Deluxe kernel: [19586.154518] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06 ........~..... │Aug 8 23:30:48 Deluxe kernel: [19590.296195] net_ratelimit: 43 callbacks suppressed │Aug 8 23:30:48 Deluxe kernel: [19590.296218] IPv4: martian source 72.9.9.145 from 72.9.9.1, on dev eno1 │Aug 8 23:30:48 Deluxe kernel: [19590.296224] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06 ........~..... │Aug 8 23:30:48 Deluxe kernel: [19590.366534] IPv4: martian source 69.161.98.170 from 69.161.98.1, on dev eno1 │Aug 8 23:30:48 Deluxe kernel: [19590.366538] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06 ........~..... │Aug 8 23:30:48 Deluxe kernel: [19590.450452] IPv4: martian source 65.99.114.187 from 52.22.97.255, on dev eno1 │Aug 8 23:30:48 Deluxe kernel: [19590.450472] ll header: 00000000: d0 17 c2 ac 64 4b b0 90 7e 0e 88 19 08 00 ....dK..~..... │Aug 8 23:30:48 Deluxe kernel: [19590.454533] IPv4: martian source 65.99.122.56 from 65.99.122.1, on dev eno1 │Aug 8 23:30:48 Deluxe kernel: [19590.454551] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06 ........~..... │Aug 8 23:30:48 Deluxe kernel: [19590.548524] IPv4: martian source 173.44.97.94 from 173.44.97.1, on dev eno1 │Aug 8 23:30:48 Deluxe kernel: [19590.548549] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06 ........~..... │Aug 8 23:30:48 Deluxe kernel: [19590.634221] IPv4: martian source 69.161.98.248 from 69.161.98.1, on dev eno1 │Aug 8 23:30:48 Deluxe kernel: [19590.634241] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06 ........~..... │Aug 8 23:30:48 Deluxe kernel: [19590.650058] IPv4: martian source 65.99.114.187 from 104.244.42.194, on dev eno1 │Aug 8 23:30:48 Deluxe kernel: [19590.650076] ll header: 00000000: d0 17 c2 ac 64 4b b0 90 7e 0e 88 19 08 00 ....dK..~..... │Aug 8 23:30:48 Deluxe kernel: [19590.671690] IPv4: martian source 65.99.114.187 from 52.22.97.255, on dev eno1 │Aug 8 23:30:48 Deluxe kernel: [19590.671708] ll header: 00000000: d0 17 c2 ac 64 4b b0 90 7e 0e 88 19 08 00 ....dK..~..... │Aug 8 23:30:49 Deluxe kernel: [19590.757104] IPv4: martian source 69.161.99.143 from 69.161.99.1, on dev eno1 │Aug 8 23:30:49 Deluxe kernel: [19590.757125] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06 ........~..... │Aug 8 23:30:49 Deluxe kernel: [19590.866503] IPv4: martian source 69.161.105.205 from 69.161.104.1, on dev eno1 │Aug 8 23:30:49 Deluxe kernel: [19590.866525] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06 ........~..... Quote Share this post Link to post
Flx 76 Posted ... 1 hour ago, cboettcher said: I do have phones and laptops connected to the router via wireless (and wired) interfaces, but the traffic that I'm seeing is reported within a log that's on a node in the local network (a desktop, whose IP is 192.168.1.100) and not a router. I can see that. Unless local network access is required by any WiFi connected devices ALWAYS connect them in Guest mode(No access to your local network). Before and After routing tables posted(above) is from your Desktop(192.168.1.100) connected to OpenWRT. Quote Hide Flx's signature Hide all signatures Guide - EMBY Block ALL interfaces except tap/vpn Windows OS - Configuring your operating system Windows OS - Multi Session/Tunnel Share this post Link to post
cboettcher 0 Posted ... Sorry, let me do that last test again, as I'm not sure if I disconnected and reconnected the openvpn client at the right moment. Quote Share this post Link to post
Flx 76 Posted ... 2 minutes ago, cboettcher said: Sorry, let me do that last test again, as I'm not sure if I disconnected and reconnected the openvpn client at the right moment. Ok @Staffmay be able to help you out on this further....Go through the linked topic above and see what a mess android/Iphones/tablets devices can do when you allow them local network access. Quote Hide Flx's signature Hide all signatures Guide - EMBY Block ALL interfaces except tap/vpn Windows OS - Configuring your operating system Windows OS - Multi Session/Tunnel Share this post Link to post
Flx 76 Posted ... 2 hours ago, cboettcher said: DHCPOFFER of <ip address> from 10.246.16.1 DHCPACK of <ip address> from 10.246.16.1 If AirVPN Ip-range(10.x) conflicts with your ISP ip-range(10.x) that might be the cause of your problem. Can you change it from 10.x to 192.168.1.10-192.168.1.254 in your ISP modem(Network Settings)? Quote Hide Flx's signature Hide all signatures Guide - EMBY Block ALL interfaces except tap/vpn Windows OS - Configuring your operating system Windows OS - Multi Session/Tunnel Share this post Link to post
Not connected, Your IP: 18.191.171.43
Online: 27527 users - 351148 Mbit/s total BW