Seeking explanation: No explicit route to cable modem, yet can log onto cable modem from LAN wireless

jallanb

New Around Here
I have a very simple setup: AX3000 router ->(Ethernet "internet" WAN port) ->Arris SB8200 modem (Ethernet port)->Comcast Cable
LAN Address: 192.168.50.x (router @ 192.168.50.254
Modem address (fixed by mfg): 192.168.100.1

I would think that the modem's web server (192.168.100.1) should not be accessible from my LAN (192.168.50.x), but it is. Question is why (the router's internet port is plugged directly into the modem's Ethernet port).

No entries exist in either my laptop or router routing tables.
The arp cache on my lap top will show a successful connection for a time, but that's expected after making a successful connection.

Questions:
1. Why would the AX3000 allow (route) a connection from 192.168.50.x through it's internet (WAN) port to the modem's Ethernet port @ 192.168.100.1 ? (There are two Ethernet ports available on the modem.)

2. What layer is the connection occurring at (link layer???)

3. Should this condition be happening and is it a security risk?

Thank you.
 
Last edited:

ColinTaylor

Part of the Furniture
1. Look at it this way: why wouldn't you be able to access the modem? 192.168.100.1 is just another non-local IP address. It's no different than any other address and would be accessed via the router's default gateway.

That said, there are some modems that only allow access from clients within the same subnet, i.e. having an IP address of 192.168.100.x. My modem doesn't have such a restriction.

3. Security risk? I'm not familiar with your particular modem. My modem requires a user ID and password to log into it.
 

eibgrad

Part of the Furniture
No entries exist in either my laptop or router routing tables.

Not true. Your router has a default gateway specified, which means whenever there isn't an explicit route to a given destination, that's the route that should be chosen. And so 192.168.100.1 is routed over the WAN.

That's why calling the WAN the "internet" port is really a misnomer. It's actually more accurate to see the WAN port as the default gateway. Given the way a consumer router is typically used, it happens the default gateway usually leads to the public internet. But actually *anything* that lies upstream over the WAN is reachable in terms of routeability.
 
Last edited:

Justinh

Regular Contributor
I have the same setup. If you feel uncomfortable with the security risk, you can reduce it by Firewall > Network Services Filter and add 192.168.100.1 as a destination IP. That way you can't browse to it from the LAN.

1650728704463.png
 

SomeWhereOverTheRainBow

Part of the Furniture
I have the same setup. If you feel uncomfortable with the security risk, you can reduce it by Firewall > Network Services Filter and add 192.168.100.1 as a destination IP. That way you can't browse to it from the LAN.

View attachment 40957
I imagine you could also limit the access to one specific client IP if you wanted to as well, but this would require making the client have a static IP assignment.
 

jallanb

New Around Here
Thank you everyone. I guess I should have asked the question this way:

Why did the route succeed at all given that 192.168.0.0/16 ( Range: 192.168.0.0 – 192.168.255.255 ) are defined as non-routable addresses? The modem is definitely sitting on the WAN port of the AX-3000 at 192.168.100.1.

With my 5 year old Linksys router, the only way I could get to the modem was to plug directly one of its Ethernet ports (it wouldn't route from 192.168.50.x to the modem at 192.168.100.1. With the Asus AX-3000, the route goes through from 192.168.50.x to 192.168.100.1.

Shouldn't the definition of "unroutable" apply here? (And, by definition, the route shouldn't succeed?)

Thank you.
 

ColinTaylor

Part of the Furniture
Why did the route succeed at all given that 192.168.0.0/16 ( Range: 192.168.0.0 – 192.168.255.255 ) are defined as non-routable addresses?
This is a common mistake. 192.168.0.0/16 is not non-routable. It is merely an address range allocated for private use. It is routable just like any other IP address.

Think of a corporate network with multiple offices, each with their own private IP network. Traffic is routed between these "private" networks just like any other network traffic.

The only restriction on private IP addresses is that they cannot be routed through the public internet. Therefore traffic with private addresses will be dropped by your ISP (not your router), because it is the ISP that controls what traffic goes onto the internet.
 
Last edited:

drinkingbird

Very Senior Member
Thank you everyone. I guess I should have asked the question this way:

Why did the route succeed at all given that 192.168.0.0/16 ( Range: 192.168.0.0 – 192.168.255.255 ) are defined as non-routable addresses? The modem is definitely sitting on the WAN port of the AX-3000 at 192.168.100.1.

With my 5 year old Linksys router, the only way I could get to the modem was to plug directly one of its Ethernet ports (it wouldn't route from 192.168.50.x to the modem at 192.168.100.1. With the Asus AX-3000, the route goes through from 192.168.50.x to 192.168.100.1.

Shouldn't the definition of "unroutable" apply here? (And, by definition, the route shouldn't succeed?)

Thank you.

As others have said, if that was the case, none of your traffic would work, since your internal IPs would be dropped by your router as non routable.

But luckily, that is not the case. All your router knows is that it has a default route pointing out the WAN port. Any IP that does not exist on your LAN (or on the router itself) will go out the WAN.

If your linksys was using a /16 network mask that could have been the issue. Otherwise maybe it had some sort of firewall feature to block private IPs on the WAN or something.

Technically 127.0.0.0/8 and 169.254.0.0/16 are non-routable but most routers will in fact pass them just fine (with the exception of 127.0.0.1 which is likely already on the router as a loopback), but it is not a good idea to route these ranges.

The only truly non-routable IP is 0.0.0.0. But I wouldn't be surprised if some routers would let you hack a way for it to route, though it would be of little use and would be very problematic.

Back when subnetting was very strict, there was something called the "zero subnet". For example if you took 192.168.0.0/16 and divided it up into /24s, the 192.168.0.0/24 would NOT route. However that was changed long long ago and is not an issue anymore. Technically it is still in the IP specifications but everyone has eliminated the limitation, or never adhered to it in the first place. 20 years ago you had to specify "IP subnet-zero" in a Cisco router to get it to work, now it is default that way.

What you really should be asking is how you can reach this IP when it does not sit in the same subnet as the WAN port on your router. The cable modem has some special code in it to intercept this traffic as it attempts to reach your ISPs gateway, and respond back to you instead. Sort of a pseudo router functionality.
 

jallanb

New Around Here
Thank you everyone for the above routing short-course.

The last paragrpah Drinkingbird's about the rmodem responding back to my LAN makes the most sense to me.

Have been out of the field for quite a while, but do remember when Class A, B, C addresses and netmasks were really important at that time.

Thank you also about how 192.168.x.x are actually treated. It's been a good [re]education.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top