Martian Packets 386.3_2 AC68U for DMZ / port forwarding

[FCM]

Running on latest firmware and a linux box on lan is constantly complaining about martian packets.

They start appear when the specific host is placed in the DMZ or I forward ports to it.


The box has two NICs, each on its own lan.

If i disable port fowarding / DMZ, the problem goes away.

Any ideas?

Thanks.

 

[ColinTaylor]

The box has two NICs, each on its own lan.

What is the network address and netmask of each of the NICs?

Can you post a sample of some of the martian syslog messages.

 

[FCM]

Nov 18 13:09:15 hal9002 kernel: IPv4: martian source 192.168.1.51 from 186.105.166.182, on dev eno1
Nov 18 13:09:15 hal9002 kernel: ll header: 00000000: 70 8b cd 4c 7a 1f 78 24 af e5 92 60 08 00
Nov 18 13:09:16 hal9002 kernel: IPv4: martian source 192.168.1.51 from 186.105.166.182, on dev eno1
Nov 18 13:09:16 hal9002 kernel: ll header: 00000000: 70 8b cd 4c 7a 1f 78 24 af e5 92 60 08 00
Nov 18 13:09:18 hal9002 kernel: IPv4: martian source 192.168.1.51 from 186.105.166.182, on dev eno1
Nov 18 13:09:18 hal9002 kernel: ll header: 00000000: 70 8b cd 4c 7a 1f 78 24 af e5 92 60 08 00
Nov 18 13:09:22 hal9002 kernel: IPv4: martian source 192.168.1.51 from 186.105.166.182, on dev eno1
Nov 18 13:09:22 hal9002 kernel: ll header: 00000000: 70 8b cd 4c 7a 1f 78 24 af e5 92 60 08 00
Nov 18 13:09:30 hal9002 kernel: IPv4: martian source 192.168.1.51 from 186.105.166.182, on dev eno1
Nov 18 13:09:30 hal9002 kernel: ll header: 00000000: 70 8b cd 4c 7a 1f 78 24 af e5 92 60 08 00

And I got everything off, no portfowarding, no DMZ.

the E5:92:60 is the router's LAN MAC address (gateway)
the 7A 1F 78 is the eno1 MAC address (linux box)

 

[ColinTaylor]

Can you provide details on the second NIC.

You originally said the messages stopped when you disabled port forwarding or DMZ. Is that no longer the case?

If the external IP address always the same (186.105.166.182)?

Are you in Chile?

 

[FCM]

It happens no matter if I have port forwarding / dmz enabled. Seems to be occurring less when they are disabled.

I'm not in Chile, actually in Europe.

It's not always the same IP.

Second NIC is connected to an N66U with it's own ISP. That router exhibits the same problem, which is strange.

I'm using netplan, if that's relevant. Also running Deluge which connects via upnp.

Nov 18 16:21:50 hal9002 kernel: ll header: 00000000: c0 06 c3 02 95 d6 78 24 af 99 36 60 08 00
Nov 18 16:21:50 hal9002 kernel: IPv4: martian source 192.168.100.51 from 192.168.100.51, on dev eno2

95 D6 is eno2 MAC on the linux box
36 60 is the N66U mac

Here's the netplan config on the linux box:

# This is the network config written by 'subiquity'
network:
  ethernets:
    enp0s31f6:
     #dhcp4: yes
     dhcp4: no
     dhcp6: no
     addresses: [192.168.1.51/24]
     match:
       macaddress: 70:8b:cd:4c:7a:1f
     set-name: eno1
     nameservers:
       addresses: [8.8.8.8,8.8.4.4]
     routes:
       - to: default
         via: 192.168.1.1
         metric: 1000

    enp7s0:
     optional: true
     dhcp4: no
     dhcp6: no
     addresses: [192.168.100.51/24]
     match:
      macaddress: c0:06:c3:02:95:d6
     set-name: eno2
     nameservers:
       addresses: [8.8.8.8,8.8.4.4]
     routes:
       - to: default
         via: 192.168.100.1
         metric: 100
  version: 2
  renderer: networkd

 

[ColinTaylor]

My guess is that this is actually a routing issue on the N66U side. Linux will create the martian errors messages if detects traffic on one network interface that it thinks ought to be on another interface. In this case there appears to be some sort of loopback happening on eno2/N66U.

If you disable eno2 I suspect the messages will stop.

 

[FCM]

It does happen on eno1 as well, but I've disabled eno2 just to try this. I'll report back.

N66U is running John's fork btw, connected to an ADSL Huawei router running in bridge mode. The famouse mediarouter.home certificate router from Huawei .

 

[FCM]

After using exclusively the N66U, it seems the problem is only on that device.

What should I do to work it out, what could be causing it? Could the router be faulty in terms of hardware?

 

[ColinTaylor]

I don't know how you have configured your devices or how you intend for them to work with these two networks. Your config in post #5 suggests you're routing everything on that PC through the N66U's ADSL connection.

 

[FCM]

Yes, I've tried to configure it so that while both connections are active, the traffic favors the ADSL. Would that generate this "martian packets" problem, is it simply enough to drop the metric settings?

Anyway, I've started a separate, more detailed thread here: https://www.snbforums.com/threads/n...ebind-attack-detected-dns-msftncsi-com.75784/

 

[ColinTaylor]

Yes, I've tried to configure it so that while both connections are active, the traffic favors the ADSL. Would that generate this "martian packets" problem, is it simply enough to drop the metric settings?

Anyway, I've started a separate, more detailed thread here: https://www.snbforums.com/threads/n...ebind-attack-detected-dns-msftncsi-com.75784/

Creating a duplicate thread for the same problem is bad form as it wastes people's time.

 

[FCM]

It's not the same problem, I've actually further refined it to the N66U and John's fork. This thread should be considered closed by all means. Thank you for your replies.