Network security questions

[JPmedia]

I changed my LAN IP address range a few days ago from 192.169.X.XXX to 192.168.X.XXX on advice from more experienced users on the board due to odd issues with my security cams.

Yesterday I noticed changes to the settings of one of my LPR cams and this morning, I woke up to one of my backyard cams being offline with "Invalid username or password" displayed on that channel. A check of the recording timeline shows it went offline at 4:33 AM. I reconnected it at 5:42am and it was back to normal.

I've been checking firewall settings, EST security settings and did a scan of IP addresses from the Advanced IP scanner

The scanner turned up 7 active IP addresses from the previous IP range 192.169.X.XXX that have no mac addresses. I can ping them and get a response, but the connection times out if I enter the IP address in a browser. These IP addresses NEVER showed up in the past with scan, so it makes me wonder what changed.

I have attached screenshots of the scan results and a trace of one of the addresses. A trace on any of those 192.169.X.XXX addresses reveals the same results

 

[JPmedia]

A little whatis/whois search shows that all of the domains in the trace are parts of AT&T which is our internet provider. I just wonder why they show up now and not in previous searches?

 

[bigredfish]

#1 you need to check your router, and maybe have someone with networking experience look at it.

Make 100% sure you are not port forwarding and do not have UpNp enabled.

Your NVR is a PoE model?, if so are ALL cameras plugged into this and have 10.1.1.X addresses?

Any stray wifi or other cams or devices on the old 192.169 range?

Your router should be allocating one DHCP pool in the 192.168.1.X range for your LAN devices
Is the ATT Arris provided by your internet provider your sole and only modem/router combo?

* Note I hate combo Modem/routers. I demand my provider give me a modem I can set in pass through mode, with admin rights, and buy my own router to manage my network.

 

[wittaj]

+1 above.

ISP supplied combo modem/routers are evil.

The benefit to having your own router is control of your bandwidth. Some ISPs tout their far reaching wifi hotspots as a selling point to use their mobile service.

When using an ISP issued router, they can use it as a hotspot for their other customers without your approval or knowledge, which depending on that persons use, could slow down your internet speeds.

Maybe those unknown IPs are their customers connecting to your system.

Don't believe me, turn on to allow you to connect to an ISP hotspot and walk around your neighborhood and see if you find which neighbors are providing that without them knowing it LOL.

Or go to your ISP and see if they have a map showing the wifi hotspots that are clearly at a residential house:

 

[JPmedia]

#1 you need to check your router, and maybe have someone with networking experience look at it.

I checked and did not see anything that would raise a red flag, then again, my IT experience is limited

Make 100% sure you are not port forwarding and do not have UpNp enabled.

I could not find a selection for these functions anywhere in the settings. Maybe I'm missing it

Your NVR is a PoE model?, if so are ALL cameras plugged into this and have 10.1.1.X addresses?

Yes

Any stray wifi or other cams or devices on the old 192.169 range?

Not that I am aware of

Your router should be allocating one DHCP pool in the 192.168.1.X range for your LAN devices
Is the ATT Arris provided by your internet provider your sole and only modem/router combo?

It only shows one range of IP addresses for DHCP 192.168.X.XXX. ATT is our internet provider, and we have an Arris BGW210-700 modem/router

 

[JPmedia]

Our neighbor also has ATT. This is the Nosey guy from the other thread. The same one that walked all the way across the street to look at the camera I just installed facing the cul-de-sac.

He and the neighbor next to him had a feud going on for years and the neighbor moved in 2020. I'm talking cameras pointed at each other Wi-Fi attacks, you name it. I'm not saying he's the one causing all this, but he certainly has the experience and know how.

Now that I think of it, these issues with odd behavior started soon after I installed that camera .... hmmmm

 

[JPmedia]

I need to figure out how to temporarily disable Wi-Fi on the Arris to confirm if it is coming from there. I certainly believe it could be.

 

[JPmedia]

All those 192.169.2.XXX addresses have no mac addresses, I don't believe they are hardware, I think they are IP addresses assigned to virtual machines.

It has to be someone who is able to see changes made to my LAN/devices on a real-time basis, because I make a change (password, IP, etc.) and soon after the shenanigans continue

 

[bigredfish]

You will continue to have problems of various kinds as long as you rely on that single box for your modem and router.

Its been a while since I was in one at my buddies house, but there are menus under ?Firewall

Wifi itself isnt really the biggest problem. Finding out why those 192.169 addresses are inside your network would be my first concern

 

[JPmedia]

You will continue to have problems of various kinds as long as you rely on that single box for your modem and router.

Its been a while since I was in one at my buddies house, but there are menus under ?Firewall

Wifi itself isnt really the biggest problem. Finding out why those 192.169 addresses are inside your network would be my first concern

I disabled Wi-Fi, disabled broadband and had 103 alive IP addresses, none with mac addresses. That tells me it's something internal as there was no connection to the outside with those 2 disabled. Maybe it's something with the ATT equipment?

 

[JPmedia]

You will continue to have problems of various kinds as long as you rely on that single box for your modem and router.

Its been a while since I was in one at my buddies house, but there are menus under ?Firewall

Wifi itself isnt really the biggest problem. Finding out why those 192.169 addresses are inside your network would be my first concern

I bought the ASUS RTX 1800 router for VPN, but it was un-needed for remote viewing with the P2P, so I sent it back. I guess I need to get another one and enable pass-through on the Arris modem?

Can you exclude a range of IP addresses on the Asus?

 

[bigredfish]

You can isolate it to just one WAN address yes.

Those 192.169 addresses could be local hot spots of other users in the area? Or something else.?

Where are you seeing these IPs? On what device?

Not a network engineer so I can’t say what you’re seeing unfortunately.

I need more coffee

 

[JPmedia]

Those 192.169 addresses could be local hot spots of other users in the area? Or something else.?

I don't see how. Wi-Fi was disabled both on the Arris device and on the laptop I use. I was (and am) using the ethernet connection on my laptop currently

Where are you seeing these IPs? On what device?

On Advanced IP Scanner which I downloaded here: Advanced IP Scanner - Download Free Network Scanner

It is very useful for finding device IP addresses that are not known. You can specify ranges of IP and it will find IPs that are alive, dead or unknown

Not a network engineer so I can’t say what you’re seeing unfortunately.

Neither am I. I was certified Comp TIA and Comp A+ back in the early to mid 2000's, but never put it to use, so I forgot a LOT of what I learned and never advanced with the changes in technology. I have just enough knowledge to fuck things up and get myself in trouble

 

[bigredfish]

Yeah I use a similar tool called network analyzer but it shows too much info to show a screen grab here

So your Arris is showing your connection to the Interwebs as a DSL connection. That may be why you’re seeing those IPs. I don’t think they’re internal to your house.

I recall my buddy who had a similar ATT DSL connection and ARRIS modem. Finally convinced him to get a new provider.

Still if you can get the Arris set to pass through and install your own router, you’ll be much better off and be in better control of your network

 

[JPmedia]

So your Arris is showing your connection to the Interwebs as a DSL connection. That may be why you’re seeing those IPs. I don’t think they’re internal to your house.

I really couldn't tell you. I do know that while the router was physically connected to the DSL line, Broadband and Wi-Fi were disabled on the Arris device and Wi-Fi was disabled on the laptop I use.

I do know that a trace on all of those IP addresses comes back to ATT as the owner

I recall my buddy who had a similar ATT DSL connection and ARRIS modem. Finally convinced him to get a new provider.

Unfortunately, we have only 2 choices for internet provider here, ATT and Spectrum. ATT isn't great, but Rectum is horrible, I've had it before.

Still if you can get the Arris set to pass through and install your own router, you’ll be much better off and be in better shape control of your network

So how do I secure Wi-Fi so that I keep out the nut across the street or any other idiot looking for a free ride? The first thing I would want to do is exclude a range of IP addresses, namely the 192.169.X.XXX range to see if that helps.

So I guess I order another RT1800 today

 

[wittaj]

Did you not read the part where I said with a combo router/modem your ISP could be using it as a hotspot?

Even if you turn wifi off, their hotspot could still be on....their equipment their rules.

I would consider swapping out their modem/router to just a modem.

 

[JPmedia]

Did you not read the part where I said with a combo router/modem your ISP could be using it as a hotspot?

Even if you turn wifi off, their hotspot could still be on....their equipment their rules.

I would consider swapping out their modem/router to just a modem.

I did read the hotspot comment, but with broadband and Wi-Fi disabled, I would imagine no hotspot.

I already asked ATT about the modem only - no dice, they don't or won't offer just the modem, I must enable pass-through mode. Less inventory to handle

So, I order the ASUS RT1800 again, yes?

 

[wittaj]

It is possible for an ISP to maintain a public Wi-Fi hotspot even if you disable the Wi-Fi on your modem/router. This hotspot functionality is often separate from the standard Wi-Fi network provided to your home, and they may have a dedicated access point on their equipment for this purpose that you cannot disable and that is what you are seeing.

Are you renting the modem/router? If so, or even if not, see if you can provide your own modem as well. You can usually pick one up for under $200. If you are renting, you make that up pretty quick.

 

[JPmedia]

Are you renting the modem/router? If so, or even if not, see if you can provide your own modem as well. You can usually pick one up for under $200. If you are renting, you make that up pretty quick.

Probably renting.

Acquiring, installing and configuring a modem along with router right now is just going to complicate the process right now. Not to mention if there is an issue with service beyond the service entrance, I'm on my own for support. And ATT will more than likely blame it on my equipment. Don't want to deal with that as well at the moment.

I need to start with one piece at a time and progress in steps. Don't want to get overwhelmed as that's when I say fuck it and procrastinate. Life isn't all about Secuity cameras, just ask my wife!

 

[JPmedia]

Ok, so I order the Asus RT1800? Sorry to keep asking nut I'm looking for confirmation before I go through ordering the same item I just returned