Messy Network Issue

[Chain_Reaction]

I have a Belkin N750DB Router. I have had it connected to my cable modem from my ISP. I discovered by accident 2 days ago when looking for a shared printer in Linux, that I can see my neighbors computers in my Workgroup. These computers are not comeing in through Wifi, these computers are on here because they are connected to the same ISP as me. I am told this is because my ISP treats my area as a LAN because of a "large group of customers connecting in a small area" (1 apartment complex). These computers are visible, as well as the router and my own computers, in this workgroup- even if I look in windows 7, XP or in Ubuntu. Is this an issue with my router that Belkin needs to be fixing? Or is this an issue with my ISP allowing a set of traffic through? Do I need to report them or tell them to get it fixed?
I am able to secure the mess temporarily on my end, by placing a Linksys wrt54G with DDWRT between the modem and router, and allowing the Linksys to act as a router/firewall with the N750DB acting as a seperate router. And there is some latency with this setup. Do they make a device that I can place between the modem and router to act as a firewall and block some of this traffic without the latency? What would it be called?

 

[jdabbs]

I'd ping using the hostname of one of your neighbor's devices. If the hostname resolves to the same subnet as your PC, then either
1) your router is not cabled/configured properly,
2) if the apartment provides cabling, it is not properly isolated between tenants,
3) they are connecting over wireless (most likely).

If the IP is one from your ISP, then verify your router is not in DMZ or bridge mode, and double check cabling.

Edit: You are on a Wireless ISP. Is that really a cable modem? Model number, please.

 

[Chain_Reaction]

modem version- Ubee U10C01880 ISP owned

Removed DDWRT router- connected belkin router to modem
looked in windows 7 network list- foregin pc's sprang up
Changed subnet of my router from 255.255.255.0 to 255.255.0.0 and refreshed, foregin pc's still there
Changed subnet of my router from 255.255.0.0 to 255.255.255.255 and refreshed, foregin pc's still there
Changed subnet of my router from 255.255.255 to 255.0.0.0 and refreshed, foregin pc's still there

when trying to ping these foregin pc's i get error "cannot find host"
can ping my own router which is listed as "Router" just fine as well as a workstation I enabled for this purpose

Removed router cloned the router mac to my pcs network card and direct connected to the modem
did another search and listed 4 new foregin pc's
Ping was blocked to foregin pc's

Wireless security has been enabled since I installed the router. WPA is enabled for 2.4ghz (due to an XP station) WPA2 enabled on 5ghz, guest account disabled.

 

[jdabbs]

modem version- Ubee U10C01880 ISP owned

Removed DDWRT router- connected belkin router to modem
looked in windows 7 network list- foregin pc's sprang up
Changed subnet of my router from 255.255.255.0 to 255.255.0.0 and refreshed, foregin pc's still there
Changed subnet of my router from 255.255.0.0 to 255.255.255.255 and refreshed, foregin pc's still there
Changed subnet of my router from 255.255.255 to 255.0.0.0 and refreshed, foregin pc's still there

when trying to ping these foregin pc's i get error "cannot find host"
can ping my own router which is listed as "Router" just fine as well as a workstation I enabled for this purpose

The success of the ping is irrelevant--just need to know what network they are in (which you can glean from the resolved IP). Don't change subnets. Let's try a different approach:
What is your IP? Check using ipconfig. Don't use online tools.
What is an IP of one of the neighbor's PCs that shows up when only the Belkin router is between your PC and the cable modem? Ping their hostname and check the IP that comes up in the output (first line, in brackets).

Removed router cloned the router mac to my pcs network card and direct connected to the modem
did another search and listed 4 new foregin pc's
Ping was blocked to foregin pc's

Are you connecting the PC directly to the cable modem, or connecting the Belkin router to the modem?

Wireless security has been enabled since I installed the router. WPA is enabled for 2.4ghz (due to an XP station) WPA2 enabled on 5ghz, guest account disabled.

Having both SSIDs secured with a not easily guessable password would help rule out wireless piggybacking. Adding a password or disabling guest access after the fact would stop them from being able to connect, but would not remove PCs in the network browser immediately thanks to caching.

 

[Chain_Reaction]

What is an IP of one of the neighbor's PCs that shows up when only the Belkin router is between your PC and the cable modem? Ping their hostname and check the IP that comes up in the output (first line, in brackets).

The ping command comes back "could not find host". Using a program from Nirsoft called NetResView I was able to see these alien computers as well, and it was unable to enumerate IP addresses for these aliens as well.

On a hunch I checked out the firewall log of the Belkin and I seen for example: process_browse_packet: Discarding datagram from IP 74.xxx.xx.xxx. Source name ROUTER<00> is one of our names ! Source name ROUTER<00> is one of our names !

The 74 area IP is other ip's comeing from my isp, a search online verified this, and the ip's are similar to my own until the last 3 numbers. If I am understanding it correctly, it is refusing traffic from a device calling itself "router" from another IP.

Upon further reading, These alien computers listed in the windows network viewer began appearing by name and by IP, and the IP's are listed are not my own WAN IP but in the same block.
The firewall message was: process_local_master_announce: Server SHAW-PC at IP 74.xxx.xx.xxx is announcing itself as a local master browser for workgroup WORKGROUP and we think we are master. Forcing election.

If I am understanding that correctly, it's saying "Shaw-pc says it is allowed to be listed as part of the workgroup".

Are you connecting the PC directly to the cable modem, or connecting the Belkin router to the modem?

For an expierment to see if they came ip I connected PC to Modem. And it still listed them- and a few more.

Having both SSIDs secured with a not easily guessable password would help rule out wireless piggybacking. Adding a password or disabling guest access after the fact would stop them from being able to connect, but would not remove PCs in the network browser immediately thanks to caching.

The Password is 12 digit alphanumeric and guest access was disabled by default on the router.

 

[jdabbs]

I am unwilling to help you troubleshoot if I ask you to do A and you do A, B, and C. Since you bypassed both routers the tests are inconclusive--the computers visible could be cached.

Modem<>Belkin router<>computers. If this isn't your current configuration, set it up. Power off all the computers. Once all of them are off, reboot the router and bring them up. If any neighbor PCs pop up, ping them to get their IP address. Report those IPs as well as one of the PCs on your network.

 

[Chain_Reaction]

I am unwilling to help you troubleshoot if I ask you to do A and you do A, B, and C. Since you bypassed both routers the tests are inconclusive--the computers visible could be cached.

Not if cache is being cleared before each check and if I am double checking on a second computer. How many times can I say- the computers that do not belong are unpingable. Bypassing the router and plugging in directly was just an expierament.

Modem<>Belkin router<>computers. If this isn't your current configuration, set it up. Power off all the computers. Once all of them are off, reboot the router and bring them up. If any neighbor PCs pop up, ping them to get their IP address. Report those IPs as well as one of the PCs on your network.

I've said multiple times already these computers CANNOT be pinged. The IP's themselfs for the computers are stated in the belkin routers firewall log and when the local network IP's start with 192 and these start with 74 I think it's obvious whats happening.

It's appearing to me that the ISP is not isolating it's users in the complex, as a result the belkin router is seeing this traffic and thinking its just connected to a switch to a larger network and is fowarding the windows networking protocol. Since the router is configured by belkin to have a samba server (linux based router with print and disk shareing) thats why the router also appears.

 

[thiggins]

It's been a long time since I heard of an ISP letting NetBIOS traffic through its cable modems. Shocked the hell out of me way back when cable Internet first came out.

But even if the ISP is letting NetBIOS traffic through, your router shouldn't allow it through the NAT firewall unless you are purposely opening ports.

Sounds like you might want to contact Belkin support. Or get another router.

 

[Chain_Reaction]

It's been a long time since I heard of an ISP letting NetBIOS traffic through its cable modems. Shocked the hell out of me way back when cable Internet first came out.

But even if the ISP is letting NetBIOS traffic through, your router shouldn't allow it through the NAT firewall unless you are purposely opening ports.

Sounds like you might want to contact Belkin support. Or get another router.

I just wanted to say thank you to jdabbs and thiggins for getting back to me about all this. It was the most help I actually got and sent me down the right path.
I have spoken with Belkin quite a lot the past several days including one of their senior techs, and they have helped me figure out whats going on. Part of it is my ISP is not blocking ports 135 & 139 and some other stuff, and while I can see my neighbors they cannot see me or access me in any way. I put my old trusted DDWRT box between the Belkin and the modem to be on the safe side while I look at firewall VPNs and/or a move to Century Link. I've been considering a Zywall or Sonicwall box for ages anyways.

 

[thiggins]

Sounds like the Belkin's NAT firewall is doing its job by blocking all inbound traffic. But since it doesn't allow you to block outbound services, you can't ensure that NETBios traffic doesn't go outbound.

You don't really have to go VPN. Just the additional firewall does the trick.

 

[jdabbs]

Not if cache is being cleared before each check and if I am double checking on a second computer. How many times can I say- the computers that do not belong are unpingable. Bypassing the router and plugging in directly was just an expierament.

NetBIOS is tricky. Restarting one computer will not help if another is the master browser. The less you have to second-guess, the better.

I've said multiple times already these computers CANNOT be pinged. The IP's themselfs for the computers are stated in the belkin routers firewall log and when the local network IP's start with 192 and these start with 74 I think it's obvious whats happening.

I was only interested in any computers that showed up in the network neighborhood. Still am.

It's appearing to me that the ISP is not isolating it's users in the complex, as a result the belkin router is seeing this traffic and thinking its just connected to a switch to a larger network and is fowarding the windows networking protocol. Since the router is configured by belkin to have a samba server (linux based router with print and disk shareing) thats why the router also appears.

I'll fill in any blanks the Belkin tech left. NetBIOS broadcasts on the local subnet. When your router receives a packet, it has to decide what to do with it. If it is coming from the public side, the answer is never to "send it to everybody on the internal network." Those packets are dropped, unless there's a firewall rule explicitly allowing it (inc. DMZ mode), and then only to the specified PC. Likewise, broadcast packets are not sent out to the Internet (a good thing, imagine the amount of traffic if all 3+ billion network devices communicated with every other one simultaneously). Your NetBIOS broadcast traffic stays on the private side of your router.

 

[Chain_Reaction]

NetBIOS is tricky. Restarting one computer will not help if another is the master browser. The less you have to second-guess, the better.

I was only interested in any computers that showed up in the network neighborhood. Still am.

I'll fill in any blanks the Belkin tech left. NetBIOS broadcasts on the local subnet. When your router receives a packet, it has to decide what to do with it. If it is coming from the public side, the answer is never to "send it to everybody on the internal network." Those packets are dropped, unless there's a firewall rule explicitly allowing it (inc. DMZ mode), and then only to the specified PC. Likewise, broadcast packets are not sent out to the Internet (a good thing, imagine the amount of traffic if all 3+ billion network devices communicated with every other one simultaneously). Your NetBIOS broadcast traffic stays on the private side of your router.

After talking with belkin some more and actually looking at some of the firmware for this router series (opensource) I know what is going on.

It has to do with how this series of router handles printer and file shareing within in its own software. The router is Linux based. The shareing is actually handled by a tweaked version of Samba in the firmware. If I plug in a printer or a flash drive to the routers USB ports, the computers appear because Samba is then activated and becomes a master browser. If I remove it and restart the router- the computers actually vanish because samba is then in more or less an inactive state.

It's how they have Samba configured with IPtables that is most likely the problem. The computers are listed because samba becomes active and then the router itself becomes a master browser to host the services on the Lan side. However access to them on the wan side is actually blocked by iptables.

Haveing a trusted friend check with his computer on the same ISP- he could not see my computers that had windows file and printer shareing enabled, however I could see his but not access it. My hunch is that the glitch completely lays in how they configured Samba and IPtables to work together.

I am sure it would not be too difficult with the firmware being opensource to actually tweak the software and disable samba completely or fix the glitch ones self (not using belkins proprietary software to access printer shareing would be nice too). I do know they are still adding features to this router.

I only noticed it because I am using an ISP that is stuck in 1998 and uses NAT as a work around to stave off IPv6 (cant blame them for it yet), does not isolate users, and does not block ports 135 and 139 and several others.

 

[kanewolf]

One simple thing that I haven't seen listed, is to change the name of your workgroup from the default. I have always been told that should be a basic home networking step. One of the posts specifically showed "WORKGROUP" as the workgroup name.

 

[Chain_Reaction]

One simple thing that I haven't seen listed, is to change the name of your workgroup from the default. I have always been told that should be a basic home networking step. One of the posts specifically showed "WORKGROUP" as the workgroup name.

While it would create a new workgroup only for my computers if I name it randomly enough, the problem would still be there.

In Network Neighborhood you can also see alternatively named workgroups. I've seen "MSHOME" appear for a short time as well as the name of a business listed before- albeit both for a short time. Plus the router is defaulted to use "Workgroup" since the router is acting as a master browser and also appears in the listed computers. That part is unchangeable without reworking the firmware.