192.168.* outside local network?

[phx]

Quick question, and excuse my newbiness, but why is there a device 8 hops outside my local network that has the IP 192.168.1.1? It seems to be routed through another state no less, although it is within my ISP. It's also getting flagged in XArp by the SubnetFilter, which is why I became curious about it to begin with. Thanks.

edit:

Interesting ports on 192.168.1.1:
Not shown: 996 closed ports
PORT    STATE SERVICE    VERSION
21/tcp  open  ftp?
22/tcp  open  ssh        SCS sshd 2.0.12 (protocol 2.0)
23/tcp  open  tcpwrapped
179/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port21-TCP:V=4.76%I=7%D=10/6%Time=48EA843D%P=x86_64-unknown-linux-gnu%r
SF:(NULL,37,"421\x20Session\x20limit\x20reached,\x20closing\x20control\x20
SF:connection\r\n")%r(RTSPRequest,37,"421\x20Session\x20limit\x20reached,\
SF:x20closing\x20control\x20connection\r\n")%r(DNSVersionBindReq,37,"421\x
SF:20Session\x20limit\x20reached,\x20closing\x20control\x20connection\r\n"
SF:)%r(NCP,37,"421\x20Session\x20limit\x20reached,\x20closing\x20control\x
SF:20connection\r\n");
Device type: router|switch|PBX|encryption accelerator|WAP|general purpose
Running (JUST GUESSING) : Juniper embedded (95%), SMC embedded (89%), Vodavi embedded (88%), Cisco embedded (87%), D-Link embedded (86%), TRENDnet embedded (86%), Apple Mac OS X 10.3.X|10.4.X (86%), Juniper JUNOS 8.X (86%)
Aggressive OS guesses: Juniper Networks ERX-700 router (95%), SMC SMC7724M/VSW switch (89%), Vodavi XTS-IP PBX (88%), Cisco VPN 3000 Concentrator VPN platform (software version 4.7.2.D) (87%), Cisco VPN 3000 Concentrator VPN platform (software version 4.1.7.O) (87%), Cisco VPN 3030 Concentrator VPN platform (87%), Cisco VPN 3030 Concentrator VPN platform (software 4.7.2.F) (87%), D-Link DWL-624+ or TRENDnet TEW-432BRP wireless broadband router (86%), Apple Mac OS X 10.3.9 (Panther) (Darwin 7.9.0, PowerPC) (86%), Apple Mac OS X 10.3.9 (Panther) - 10.4.7 (Tiger) (Darwin 7.9.0 - 8.7.8, PowerPC) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 8 hops

[digip]

Quick question, and excuse my newbiness, but why is there a device 8 hops outside my local network that has the IP 192.168.1.1? It seems to be routed through another state no less, although it is within my ISP. It's also getting flagged in XArp by the SubnetFilter, which is why I became curious about it to begin with. Thanks.

IS your IP in this range: 192.168.1.1, either by way of your ISP or your local LAN/Router setup?

What ISP, and do you have a Business account or Residential account? I had read about a guy who was able to login to the LAN of his ISP because be had a Business account and he could see all the devices on his lan segment. The ISP said it was because he was a Business customer, and his IP was part of the networks subnet. Not somehting I think should be possible but an happen, but I would just change your IP class/range on your router and then see what happens. Set it to somehting like the 10.0.0.0/255 range.

[phx]

What ISP, and do you have a Business account or Residential account?

frontiernet, it's supposedly a business account, but I know nothing about it other than that

[phx]

IS your IP in this range: 192.168.1.1, either by way of your ISP or your local LAN/Router setup?

the local subnet is 192.168.254.

[Sparda]

Some ISPs use addressing that would normally be reserved for use on a LAN for internal routing. this is to save on the number of real internet addresses used by the ISP.

Well done, you nmap'ed one of your ISPs routers if your routers address isn't also 192.168.1.1.

[phx]

the traceroute looks like this

HOP RTT    ADDRESS
1   0.36   [router]
2   54.35  74-[removed].frontiernet.net
3   54.00  74.[removed]
4   69.41  74.[removed]
...
8   99.00  74.[removed]
9   92.94  192.168.1.1

[Sparda]

and what is your routers IP address?

[digip]

Could be possible that you see it because of the business account settings making you part of that lan segment, but not sure why you can see all the other devices on that ip class since you did the nmap scan.

Dumb question, but do you have a router on this network segment/lan that you are testing this from? Is it a wireless router? (Is it yours?) And if so, what is its IP range set to. Is the device set up as a VPN point? This device isn't by any chance your own router, is it? Just speculating, but if its a wireless router, could someone have hacked it to reroute the DNS requests for a MITM attack on your access point.

My router was set to 192.168.1.1 by default out of the box when I bought it, and I had to manually chance its ip address and range for DHCP.

How do you know its outside this lans network? What does a Traceroute to the 192.168.1.1 device look like? Does it ever leave the 192.168.1/255 range to get to the end point? What is each hops IP address?

More info please. Im curious what is going on now, but my guess is its either because you are part of the lan segment(Via business account), or the router you connect through has been hijacked in some way.

edit: didn't see the other posts as I was typing, so some of my question can be ignored.

[phx]

The router's IP is 192.168.254.254, it's some DSL modem / router combo the ISP installed. I don't have login access to it, although I can get physical access, but resetting to factory defaults isn't a viable option because I don't have the PPPoE info to get it going again.

router make/model: Efficient 5930 DMT Router

[digip]

The router's IP is 192.168.254.254, it's some DSL modem / router combo the ISP installed. I don't have login access to it, although I can get physical access, but resetting to factory defaults isn't a viable option because I don't have the PPPoE info to get it going again.

router make/model: Efficient 5930 DMT Router

Have you tried the default passwords?

http://www.phenoelit-us.org/dpl/dpl.html

Most seem to be a combo of admin/Admin or login/password

[Sparda]

The question was "Why does a router on the Internet have an IP address intended for use on a LAN?".

Some ISPs use addressing that would normally be reserved for use on a LAN for internal routing. this is to save on the number of real internet addresses used by the ISP.

Not sure what you are doing now.

[phx]

Have you tried the default passwords?

http://www.phenoelit-us.org/dpl/dpl.html

Most seem to be a combo of admin/Admin or login/password

Yes, I've tried them. I read the manual and it makes you change it on first login. I also know that the ISP can login externally.

The only packets I'm seeing from 192.168.1.1 are arp requests every so often for machines on this network. Does this indicate anything?

[Sparda]

Yes, I've tried them. I read the manual and it makes you change it on first login. I also know that the ISP can login externally.

The only packets I'm seeing from 192.168.1.1 are arp requests every so often for machines on this network. Does this indicate anything?

That indicates you probably have a device with the address 192.168.1.1 on your LAN you don't know is plugged in.

[phx]

yep just decided the same thing

I think it's this stupid old linksys router i'm using in switch mode and it's sending its own packets for some reason

the 192.168.1.1 I scanned is not the same one I'm noticing

thread over I guess, thanks guys

[natural_orange]

That seems pretty weird.

I know for instance that my cable internet provider uses 10.100.x.x address to provide a connections from the cable modem to there back end cable stuff. Though its invisible to me and it just looks like I'm at a 69.x.x.x address.

[vector]

i suggest using a nice little program called network magic. it gives a nice graphical representation of your local area network, shows you ip address of local devices along with mac address and one click device management/ configuration. this can help you understand a little bit better the layout of your network.