Router phoning home???

[netware5]

@RMerlin,

I've just discovered that maybe my router is "phoning home". The following connection appears immediately after each boot and then after 1-2 minutes disappears:

tcp 0 0 <router WAN IP>:47172 104.27.145.248:https TIME_WAIT -
tcp 0 0 <router WAN IP>:50422 104.27.144.248:https TIME_WAIT -

You may see that there is no PID for this connection. Any ideas what is this? Both IP addresses are registered to Cloudflare Inc.

Source: whois.arin.net
IP Address: 104.27.145.248
Name: CLOUDFLARENET
Handle: NET-104-16-0-0-1
Registration Date: 3/28/14
Range: 104.16.0.0-104.31.255.255
Org: Cloudflare, Inc.
Org Handle: CLOUD14
Address: 101 Townsend Street
City: San Francisco
State/Province: CA
Postal Code: 94107
Country: UNITED STATES

Also I have a second question what is the ots process listening on TCP port 9998 on LAN side?

tcp 0 0 *:9998 *:* LISTEN 296/ots

 

[thelonelycoder]

That's for the Asuswrt-Merlin firmware update check :

dnsmasq[1072]: reply fwupdate.lostrealm.ca is 104.27.145.248

Please read the firmware change logs to be up to date.
There is nothing to worry about this.

 

[netware5]

That's for the Asuswrt-Merlin firmware update check :

dnsmasq[1072]: reply fwupdate.lostrealm.ca is 104.27.145.248

Please read the firmware change logs to be up to date.
There is nothing to worry about this.

Thanks It is my fault. I knew about fwupdate check, but my paranoia is too strong and I even never supposed that this is just "phoning to our safe home"

 

[RMerlin]

Also, note that all this call does is download a text file that contains a list of firmware versions for all models. If the version available is newer than what the router has, it downloads a second text file which contains the changelog.

The version check itself is also done locally on the router, so I don't even know which version nor which model you have. In fact, I know even less than that, since I use Cloudflare's CDN - that means the vast majority of connections don't even reach my server, and are answered from Cloudflare's cache, with no log for me to look at. So at this time (July 2017), I don't even get IP addresses (tho this might change if someday I'm forced to disable Cloudflare for any reason). All I get the the number of unique visitors per day/week/month, and from which countries. Cloudflare's metrics are quite limited.

Policy details are on the Wiki:

https://github.com/RMerl/asuswrt-merlin/wiki/Privacy-disclosure

 

[netware5]

Also, note that all this call does is download a text file that contains a list of firmware versions for all models. If the version available is newer than what the router has, it downloads a second text file which contains the changelog.

The version check itself is also done locally on the router, so I don't even know which version nor which model you have. In fact, I know even less than that, since I use Cloudflare's CDN - that means the vast majority of connections don't even reach my server, and are answered from Cloudflare's cache, with no log for me to look at. So at this time July 2017), I don't even get IP addresses (tho this might change if someday I'm forced to disable Cloudflare for any reason). All I get the the number of unique visitors per day/week/month, and from which countries. Cloudflare's metrics are quite limited.

Thanks Merlin! Yes I know how the fwupdate check works. I am not worried about what you will know about my router, because I have ultimate trust to you. I've just missed that this IP address belongs to your FW update check service. I just did whois and it returned Cloudflare. I never checked the IP of fwupdate.lostrealm.ca, but should. Sorry.