Curiosity About 2 Routers In IP Scanner Results

OP
PGB1
Joined
Dec 5, 2008
Messages
713
Reaction score
43
Points
28
Location
Detroit
Your Mac's Specs
2007 Mac Book Pro 2.2 Ghz 4 GB RAM SSD OSX 10.11 & 2006 MBP Stuck At 10.6.8
Thanks Dennis for your helpful comments.

I rechecked with the ISP today, but this time asked for the "Disconnect My Services" department. I got much better results than I've ever received. It was a treat to speak with someone knowledgeable.

That person said it is no problem to use my own router and modem as long as I get one from their approved device list, which has many choices. You can't have their phone service without renting their modem, however.

She also was honest enough to mention that Ooma & some others are much less expensive than their telephone service with the same features. (Their basic phone is $19.70 per month.) So, roughly calculating the cost of the ISP's rental & the phone service versus buying equipment to have Ooma and my own router & modem, plus Ooma's monthly tax for our state, I think about ten or 1 months will be my pay-back period.

Now if I can figure out the best way to ditch cable tv for a streaming service, I'll be a happy guy. (Next Project!)

Thanks Again!
Paul
 
Last edited:

dtravis7


Retired Staff
Joined
Jan 4, 2005
Messages
30,133
Reaction score
703
Points
113
Location
Modesto, Ca.
Your Mac's Specs
MacMini M-1 MacOS Monterey, iMac 2010 27"Quad I7 , MBPLate2011, iPad Pro10.5", iPhoneSE
Just a note. My Ooma bill including taxes for my area is $11 or slightly under every month and that is with full support with all the features and no limit how long I can talk per month anywhere in the US and Canada. It's quite a good deal.
 
OP
PGB1
Joined
Dec 5, 2008
Messages
713
Reaction score
43
Points
28
Location
Detroit
Your Mac's Specs
2007 Mac Book Pro 2.2 Ghz 4 GB RAM SSD OSX 10.11 & 2006 MBP Stuck At 10.6.8
Thanks Dtravis for the update.
So far, Ooma seems to be the best price for what we use the telephone for (a few local & interstate calls per month).

Our current goal will be to keep only internet from the ISP with our own modem & router. Add Ooma for phone and go to Sling (or similar) and an antenna for television. (My choice would be no TV, but I only get one vote.)

For me, that's a lot to learn, but step-by-step I'll get there. There's a lot to purchase too, non-CRT TVs being the biggest budget breaker.
Job one is stop renting the modem and using expensive ISP phone service.
 

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey
So far, Ooma seems to be the best price for what we use the telephone for (a few local & interstate calls per month).

Don't forget the initial cost of the hardware. Ooma costs $99.99 (one time fee). Local taxes are fairly inexpensive though depending on your area.
 

dtravis7


Retired Staff
Joined
Jan 4, 2005
Messages
30,133
Reaction score
703
Points
113
Location
Modesto, Ca.
Your Mac's Specs
MacMini M-1 MacOS Monterey, iMac 2010 27"Quad I7 , MBPLate2011, iPad Pro10.5", iPhoneSE
Don't forget the initial cost of the hardware. Ooma costs $99.99 (one time fee). Local taxes are fairly inexpensive though depending on your area.

Here in Central Calif my Taxes are around $4.

I got the Ooma box for $79 Open Box or Refurb. Forget now which!
 
Joined
Apr 16, 2016
Messages
1,096
Reaction score
51
Points
48
Location
CT
Your Mac's Specs
MacBook Air Mid-2012 / iMac Retina 5K Late-2014
PGB1:

Did you ever actually figure out what the device was that was getting the .252 address?

From your Mac, open a terminal window and ping the address (ping 192.168.0.252). Once you've gotten a couple of replies, break the ping command (CTRL-C) and then issue the command "arp -an | grep 252". This will give you a "mapping" between the IP Addresses containing 252 and MAC addresses of the different devices your Mac has communicated with recently.

Take note of the MAC address associated to the .252 address. Then issue the command "arp -an | grep '\.1'" (be sure you get the apostrophes around the \.1). Find the entry for 192.168.0.1 and take note of that MAC address.

If the addresses match, they are both definitely coming from your router. If the first six characters match, they are PROBABLY both coming from your router. If the first six do NOT match, would you be ok with posting the MAC of the .252 device here? Or, at least the first six characters? MAC addresses are unique and the first six characters identify the manufacturer.

For voice service, I eliminated my phone bill at least 18 months ago by porting my phone numbers over to Google Voice and using a $50 box to provide my phone services. I've detailed the process elsewhere, but could certainly bring that info to this site if useful. In a nutshell, you port your phone number from the cable company to T-Mobile. Once that port is done, you port it to Google (costs $20). You "might" be done at that point, or you can go a step further to add in inbound virtual number so that Google can block inbound garbage. I went from my phone ringing 30 times / day with almost all garbage to only a couple of calls per day with ZERO telemarketing. And, I don't pay a penny for my home phone. Total investment for me was around $75 per phone line (and I've done it to three of them).

I currently pay for Broadband Internet from the cable company and have DirecTV for programming content. By next summer, I will have dropped DTV and will no longer be paying for television content beyond -MAYBE- $10/month for Hulu, $10/month for Netflix. I use a Plex Media Server with PVR and external HD tuners and an antenna to grab all four major networks' programming for free.
 
OP
PGB1
Joined
Dec 5, 2008
Messages
713
Reaction score
43
Points
28
Location
Detroit
Your Mac's Specs
2007 Mac Book Pro 2.2 Ghz 4 GB RAM SSD OSX 10.11 & 2006 MBP Stuck At 10.6.8
Thanks Guys!

The initial investment in Ooma, for the device & porting fee, should be paid off in about 8 months, so it sounds like a good option for us. If we make any long distance calls, Ooma will be paid off faster.
A used Ooma Telo device will cost less, but Ooma charges a fee to activate a used or not-refurbished-by-Ooma refurbished device.

Ooma's tax calculator showed us 4.88, plus sales tax in Michigan. Taking that into consideration, Ooma will save us just under 15.00 per month & provide almost identical phone service features (which we don't use).

It's beginning to look like my wife & I may enter the 21st century after all. (Thanks to the help from all of you!)
 
Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
PGB1.. I believe you somehow own the mysterious client on your network. You may want to squeeze it out of your LAN. How many clients have you got on your network ? Say n. Then structure your router to allocate exactly n addresses by DHCP, connect your own devices to all of them. None left. Your "guest" will receive fron your router the "sorry" message: no lease available. Try later... You may also achieve the same results by assigning IP addresses manually.

I guess you will discover the additional guest is under your control, which would help to understand how it can connect first when you change the wifi pswd. Just my 2c
 
OP
PGB1
Joined
Dec 5, 2008
Messages
713
Reaction score
43
Points
28
Location
Detroit
Your Mac's Specs
2007 Mac Book Pro 2.2 Ghz 4 GB RAM SSD OSX 10.11 & 2006 MBP Stuck At 10.6.8
Thanks for the tip Michelangelo. It makes good sense.

I tried to follow your instructions, but it appears my router is quite limited in what the user is allowed to access & change. (Maybe because it is a rental from the ISP?)
It wouldn't let me allocate a specific number of addresses.

Configuration does allow me to change the range of allowed ip addresses. So, for an experiment, I tried changing the range to end before the mystery ip address' number. (Huh? What I'm clunkily trying to say is that the mystery ip ends in .252. I changed the configuration range to stop at .250) Then, I was going to see what device stopped working.
No Luck- Nothing stopped working & a re-visit to the router showed the range was changed back to where it was before I manipulated it.

I guess the router is in control, not me.
 
Joined
Apr 16, 2016
Messages
1,096
Reaction score
51
Points
48
Location
CT
Your Mac's Specs
MacBook Air Mid-2012 / iMac Retina 5K Late-2014
Thanks for the tip Michelangelo. It makes good sense.

I tried to follow your instructions, but it appears my router is quite limited in what the user is allowed to access & change. (Maybe because it is a rental from the ISP?)
It wouldn't let me allocate a specific number of addresses.

Configuration does allow me to change the range of allowed ip addresses. So, for an experiment, I tried changing the range to end before the mystery ip address' number. (Huh? What I'm clunkily trying to say is that the mystery ip ends in .252. I changed the configuration range to stop at .250) Then, I was going to see what device stopped working.
No Luck- Nothing stopped working & a re-visit to the router showed the range was changed back to where it was before I manipulated it.

I guess the router is in control, not me.

Were you able to try any of the things I wrote a couple of posts back?
 
Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
OK PGB1. You tried earlier, If I read well, to change the wifi password (with correct encryption I assume), the 192.168.1.252 device (I will call it "Alien") immediately re-connected. That alone would mean this Alien was informed of your new password. Two people were informed: you and your 192.168.1.1 router. Assuming you are not a spy for Alien, then Alien got its information from your 192.168.1.1 router.

You tried reducing the range of distributable IP addresses (distributable by DHCP). Given your LAN and its subnet mask (which I presume is the standard 255.255.255.0, please confirm), the complete actress range 192.168.1.1 to 192.168.1.256 is in the subnet, even if the router only distributes a smaller portion with DHCP, the other addresses can still get recognised by the router if (1) they know how to access the router (by providing the password if wifi or directly if connected by wire); and (2) they are alone claiming this IP. So it is logical that Alien remained connected even if the DHCP range stopped before its number. Strange, however, is the fact the router refused to let Alien outside its DHCP range. I still believe your router and Alien are close friends, and Alien is physically inside your LAN (inside your house and wire-connected), not at a far-away location.

The sole conclusion I can draw of the above is Alien is in the box of your router. Your ISP knows it, knows what it does, knows what it does for them, and possibly even for you. But it is quite possible that they will not tell you.

In my home, confronted to quasi-equivalent vexing problems of services accessing my router from the outside by open ports (as discoverable by GRC's "Shields-up" test) and realising that these services were useful to my ISP to conduct a variety of tests on my modem-router and to upgrade its firmware without telling me, I resorted to buying a modem-router and returning its box (a modem-router-firewall) to my ISP. The drawback of this is of course I must look for firmware updates myself and cannot rely on my ISP's testing my modem (which they were never able to do anyway).

Knowledge being often useful, you may want to try shields up <https://www.grc.com/x/ne.dll?bh0bkyd2>. But shields up will not tell you what Alien does. Being inside your Lan, Alien is capable of issuing request to anyone outside your LAN and receive requests to its queries, without any need to leave ports open in your firewall, and then discoverable by Shields up from the outside.

I assume Alien was installed by your ISP, hence would only query your ISP for useful stuff, like updating your modem-router firmware... But that is only an assumption. HTH
 
Joined
Apr 16, 2016
Messages
1,096
Reaction score
51
Points
48
Location
CT
Your Mac's Specs
MacBook Air Mid-2012 / iMac Retina 5K Late-2014
OK PGB1. You tried earlier, If I read well, to change the wifi password (with correct encryption I assume), the 192.168.1.252 device (I will call it "Alien") immediately re-connected. That alone would mean this Alien was informed of your new password.

Unless "Alien" is not using but WiFi and is either hardwired or an internal component of the router / modem...

This is part of what I would hope to better understand from the steps I had listed out a few posts back in terms of understanding the hardware address of both the router and "Alien".
 
Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
Ember1205, I agree that the steps you outlined a few posts above would provide clarity. Far more clarity than a lockup for the outside with shields up.
 

Slydude

Well-known member
Staff member
Moderator
Joined
Nov 15, 2009
Messages
17,596
Reaction score
1,072
Points
113
Location
North Louisiana, USA
Your Mac's Specs
M1 MacMini 16 GB - Ventura, iPhone 14 Pro Max, 2015 iMac 16 GB Monterey
Hate to admit it but I am no closer to figuring this out than I was at the beginning of the thread. I do have the following suspicions though:
1. Since you cannot find a device or its associated MAC address (hardware based ID generated by the network card) it is likely that this internal IP address is generated for some router function/feature.
2. The mystery "feature" requiring this address is likely tied to the telephony features this router seems to have available.
3. If assumption 2 is correct that might explain why you cannot manually "turn off" this address. Being able to do so would likely disable some / all of the telephone features.

If any of these assumptions are correct then tech support should at the very least be able to tell you what it is for and the consequences of further attempt to turn it off. If they can't do that I would be forced to concluded that either:
1. They have not been trained on this issue and thus do not know the answer.
2. Someone knows the answer but it is not standard practice to release that information (perhaps for fear customers will look for other providers).
 
OP
PGB1
Joined
Dec 5, 2008
Messages
713
Reaction score
43
Points
28
Location
Detroit
Your Mac's Specs
2007 Mac Book Pro 2.2 Ghz 4 GB RAM SSD OSX 10.11 & 2006 MBP Stuck At 10.6.8
Thanks Again All.
I did try all the items you mentioned, Ember 1205 & the ones Lisa & others mentioned earlier. I re-tried many today.

I tried the Terminal ping for the address. After the arp -an | grep 252, I got:
? (192.168.0.252) at 0:0:ca:1:2:3 on en1 ifscope [ethernet]
I apologize, but I don't understand what it is telling me.

After the arp -an | grep '\.1' command, the address for .1 was
? (192.168.0.1) at 5c:8f:e0:e7:61:c3 on en1 ifscope [ethernet] and 252 was
? (192.168.0.252) at 0:0:ca:1:2:3 on en1 ifscope [ethernet]
So they don't match. I looked for any that match or even begin with 0:0 and found none.

Next I tried it with the phone in use, in case that would show the address using the phone part of the modem. I got the same results.


Quote: Given your LAN and its subnet mask (which I presume is the standard 255.255.255.0, please confirm),
Yes, that's what I found in the settings.

I ran all the tests in Shields Up and, to be honest, didn't understand much of what was reported. It did report ports are in "Stealth" and not responding to their requests. I will try to learn more about what it is reporting later tonight.

It makes the most sense to me (the uneducated one) that you are all spot-on about the mystery address being internal to the router & possibly part of the phone.
After re-reading all that you each wrote & trying many items again, I understand why the conclusion is that the Alien (great description!) is internal to the router and is there on purpose. In post #33, I mentioned about the ISP upper level tech replying to my question if Alien had to do with the telephone with the word "probably". So that tells me, like Slydude mentioned, they either aren't saying what the address is for or don't know themselves.

Turning off all WiFi and having the address still present makes it more convincing that the Alien is internal to the router & hard wired. (I'm guessing the router sees the phone as a separate, physical device and that is Alien??) I tried turning off the address inside the router to see if the phone stopped working, but it comes right back on, so that test was void.

Since telnet Port 23 is open & I can't close it, along with the Alien IP address and the fact that I am so limited with what I can configure inside this router (security related), I'm more dedicated to buying my own equipment. I just am not comfortable with mystery items, open tel net port and no positive assurance that our system is as safe as it could be.
 
Last edited:
Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
To add one option to the ones you already have sitting in front of you, I will dig a part of your post #10 (nearly a century ago)
I also thought of putting a router ahead of our existing router as kind of a lock-beofre-the-lock, but the ISP person said it won't work on their system to put anything ahead of their router, but after is sometimes OK.
Let us presume the following:
1 - That you want to carry on with the voice over IP provided by your current ISP;
2 - No presumption for TV since you only carry one vote;
3 - You accept to believe that the Alien (a thing protected by secrecy) is there for your good, but do not want to be harmed in the event the Alien would become corrupt, hostile;
THEN, you may want to explore, as an alternative to your other options, the one outlined above.
Your current ISP's router has a LAN IP address of 192.168.0.1, it creates a LAN containing a block of 256 IP Addresses, in the range [192.168.0.1 ; 192.168.0.256]
Your VoIP telephone is a client in this LAN, your TV too, so are all your other devices (printer, macs, iPhones, treadmill, what else)
You could grab a dumb (or no so dumb if you prefer) router, attach its WAN side to the above network (its WAN Address would be 192.168.0.xxx, attributed by your ISP's router) and ask this dumb router to distribute IP addresses in a second LAN (call it LAN2) in a separate range of addresses. I would choose, for laziness, the range 192.168.1. 1 to 256, 192.168.1.1 being the LAN2 address of dumb router.
Then you are done. You would ensure that wifi is off on your ISP's router, to prevent involuntary connection to an IP address in the range 192.168.0.xxx and configure a wifi access point behind your dumb router. What you have achieved there is a double NAT whereby you have a router after your ISP-supplied router.
With the possible exception of TV (depends on the votes), your telephone is the sole client of your ISP's router. All other clients you have in your home, whether wired or wireless are now attached to the dumb router and are therefore in a separate network.

Alien is alone with your telephone in the first LAN, all your personal stuff is well protected in LAN2.

In the event Alien becomes corrupt, hostile, crazy, whatever, your LAN2 is protected because there is no way Alien can access any of its clients, because there is no way Alien can go across dumb router.

What is the takeaway ?
Airport utilities will complain. Airport Utilities don't like double NATting. Ask it to shut up;
If you ever need holes in your firewall (which, as you mentioned after a Shields Up test, is pristine: no holes, all ports are closed -no entry- and stealth -no reply to ping- so far) in order to permit: access to your mac, gamers to receive chat from other online gamers, a ring on your Skype... there you would also need holes in two firewalls, which is way more complex;
The cables to your VoIP phone would connect your ISP's modem router to your phone, same for TV. BUT cables to all other clients would come from your dumb router. This can make laying of cables fare more complex. People have invented virtual LANs to make good with that difficulty.

My home is setup this way, except that the dumb router is replaced, for me, by a pfSense router acting the way an Airport Extreme would: setting up a LAN for family and LAN2 for guests and IoT things.

Now, unless somebody already suggested it, you have one more option in your bag. Cheers.
 
OP
PGB1
Joined
Dec 5, 2008
Messages
713
Reaction score
43
Points
28
Location
Detroit
Your Mac's Specs
2007 Mac Book Pro 2.2 Ghz 4 GB RAM SSD OSX 10.11 & 2006 MBP Stuck At 10.6.8
Thank You Michelangelo.
Your step-By-Step is a great explanation, and humorous too. I enjoyed reading it.

Our television service tees off from the ISP's cable & heads to little digital adapters at each tv set (they're analogs) before the modem/router, thus eliminating one step. Thankfully, we have not had a election where premium channels were victorious, so we don't have converter boxes and DVRs to connect. (Hope I didn't just jinx myself)

Your set-up plan sounds like a really good solution if we end up keeping the ISP's telephone service. I see how it can give us control, or at least reassurance, that our home network is as tight as we can get it to be.

I am enjoying learning about this topic as we go along and appreciative of the education. Networking has always been quite confusing and intimidating to me, but you all are great about explaining and teaching. It seems that old dogs can learn new tricks- I hope...
 
Joined
Apr 16, 2016
Messages
1,096
Reaction score
51
Points
48
Location
CT
Your Mac's Specs
MacBook Air Mid-2012 / iMac Retina 5K Late-2014
Thanks Again All.
I did try all the items you mentioned, Ember 1205 & the ones Lisa & others mentioned earlier. I re-tried many today.

I tried the Terminal ping for the address. After the arp -an | grep 252, I got:
? (192.168.0.252) at 0:0:ca:1:2:3 on en1 ifscope [ethernet]
I apologize, but I don't understand what it is telling me.

After the arp -an | grep '\.1' command, the address for .1 was
? (192.168.0.1) at 5c:8f:e0:e7:61:c3 on en1 ifscope [ethernet] and 252 was
? (192.168.0.252) at 0:0:ca:1:2:3 on en1 ifscope [ethernet]
So they don't match. I looked for any that match or even begin with 0:0 and found none.

Next I tried it with the phone in use, in case that would show the address using the phone part of the modem. I got the same results.


Quote: Given your LAN and its subnet mask (which I presume is the standard 255.255.255.0, please confirm),
Yes, that's what I found in the settings.

I ran all the tests in Shields Up and, to be honest, didn't understand much of what was reported. It did report ports are in "Stealth" and not responding to their requests. I will try to learn more about what it is reporting later tonight.

It makes the most sense to me (the uneducated one) that you are all spot-on about the mystery address being internal to the router & possibly part of the phone.
After re-reading all that you each wrote & trying many items again, I understand why the conclusion is that the Alien (great description!) is internal to the router and is there on purpose. In post #33, I mentioned about the ISP upper level tech replying to my question if Alien had to do with the telephone with the word "probably". So that tells me, like Slydude mentioned, they either aren't saying what the address is for or don't know themselves.

Turning off all WiFi and having the address still present makes it more convincing that the Alien is internal to the router & hard wired. (I'm guessing the router sees the phone as a separate, physical device and that is Alien??) I tried turning off the address inside the router to see if the phone stopped working, but it comes right back on, so that test was void.

Since telnet Port 23 is open & I can't close it, along with the Alien IP address and the fact that I am so limited with what I can configure inside this router (security related), I'm more dedicated to buying my own equipment. I just am not comfortable with mystery items, open tel net port and no positive assurance that our system is as safe as it could be.

I would be about 99% certain in the presumption that the rogue address of Alien is internal to your -modem-. Why?

You showed us that the .1 gateway address correlated to a hardware address of 5c:8f:e0:e7:61:c3. If you take the first six characters of that (as 5c:8f:e0) and look it up online, it resolves out to "ArrisGro ARRIS Group Inc." That makes sense since it's a modem. If you take the hardware address that you found for the .252 address (0:0:ca:1:2:3) and expand it out so that it's proper, you get 00:00:ca:01:02:03. If you do the same lookup again using 00:00:ca, that ALSO resolves out to "ArrisGro ARRIS Group Inc."

I looked up the modem model that you provided way back, and see that it's a combination modem, phone gateway, and wireless router (which you've included here as well). I also see that there's little useful information on the various addresses and such. There should be a label on the back of the modem, however, that will list at least ONE of the above MAC addresses (probably not the Alien one). If you haven't checked already, that's an easy step.

The only reason I could see you possibly seeing two IP Addresses and MAC addresses on your device is if the modem were set up in Bridge Mode as opposed to Standard mode. If it -IS- set up in bridge mode, then you would potentially be able to see the external AND internal MAC addresses of the device, and it could be using two IP Addresses (one for each) as well.

I'm going with "you're ok and it's not an issue".

One other thing... This may be a case of semantics, but the Alien address wouldn't be considered hardwired. It's internal to the modem.
 
Joined
Apr 24, 2008
Messages
271
Reaction score
6
Points
18
Location
West of Paris
Your Mac's Specs
MacBookPro, iMac, OS 10.13.6, iPhone 6s iOS 15.1, iPad mini, iOS 9.3.5
I looked up the modem model that you provided way back, and see that it's a combination modem, phone gateway, and wireless router (which you've included here as well). I also see that there's little useful information on the various addresses and such. There should be a label on the back of the modem, however, that will list at least ONE of the above MAC addresses (probably not the Alien one). If you haven't checked already, that's an easy step.

The only reason I could see you possibly seeing two IP Addresses and MAC addresses on your device is if the modem were set up in Bridge Mode as opposed to Standard mode. If it -IS- set up in bridge mode, then you would potentially be able to see the external AND internal MAC addresses of the device, and it could be using two IP Addresses (one for each) as well.

I'm going with "you're ok and it's not an issue".

One other thing... This may be a case of semantics, but the Alien address wouldn't be considered hardwired. It's internal to the modem.
Congratulation, that is great. Now, based on what you discovered, can an alternate explanation be believable as well ?

Imagine this device is, as you state, a combination modem, phone gateway, and wireless router. We know that it is connected to a cable, after a splitter separating the TV packets from telephone and internet packets.

We could assume there is a modem in what I referred above as the splitter, converting the cable's analogic signal into packets (packets for TV, packets for the rest), then it makes sense to assume the modem contained in the combination modem, phone gateway, and wireless router is not needed and is rendered null (set-up in bridge mode). Then, maybe, either 192.160.0.252 or 192.168.0.1 would be, as seen by the device, a WAN IP address.

Could we assume something else ?

Apparently, the firewall is pristine: all customary ports (up to 1000 and such) seem to be closed and hidden (not responding). Other ports, (113, 7547, 50805, others), may still be open, let us assume they are also closed and nor responding to ping.

Can't we assume the ISP has found, in Alien, a new solution for service TR-069 ?

What is service TR-069 ?

In the brochure relating to its own modems, Zyxel states: "TR-069 remote management: With TR-069 standard management specifications, service providers are able to manage and configure client devices remotely without manual intervention from end users. This unique feature allows the ZyXEL xxx to offer true “plug-and-play” experience and reduce deployment complexity for service providers to save operating and maintenance costs." On my modem, the service TR-069 uses the port 7547 and I cannot make it invisible, which is a [small] attack point for outsiders.

Le us face it: All ISPs need the equivalent to service TR-069 to, at least, remotely perform firmware updates on the modems they lease out to customers. But it is quite rare to hear them telling it.

After all, modern (and serious) IoT devices tend to desire to follow an analogous route, based on (1) the fact they are a vulnerability in the host LAN if their firmware cannot be updated when an exploit affecting them is found and (2) no one can reliably trust the vendor or the buyer of the IoT thingy to take care of firmware updates.

Is it conceivable that Alien may be a tiny computer (like a Raspberry pie), client on the LAN, whose task is to question the mother ship Arris from time to time, just to download and install new firmware updates ? That could be more secure that punching a hole in the firewall... but could still be compromised IMHO.
 
Joined
Apr 16, 2016
Messages
1,096
Reaction score
51
Points
48
Location
CT
Your Mac's Specs
MacBook Air Mid-2012 / iMac Retina 5K Late-2014
Congratulation, that is great. Now, based on what you discovered, can an alternate explanation be believable as well ?

Imagine this device is, as you state, a combination modem, phone gateway, and wireless router. We know that it is connected to a cable, after a splitter separating the TV packets from telephone and internet packets.

We could assume there is a modem in what I referred above as the splitter, converting the cable's analogic signal into packets (packets for TV, packets for the rest), then it makes sense to assume the modem contained in the combination modem, phone gateway, and wireless router is not needed and is rendered null (set-up in bridge mode). Then, maybe, either 192.160.0.252 or 192.168.0.1 would be, as seen by the device, a WAN IP address.

Could we assume something else ?

Apparently, the firewall is pristine: all customary ports (up to 1000 and such) seem to be closed and hidden (not responding). Other ports, (113, 7547, 50805, others), may still be open, let us assume they are also closed and nor responding to ping.

Can't we assume the ISP has found, in Alien, a new solution for service TR-069 ?

What is service TR-069 ?

In the brochure relating to its own modems, Zyxel states: "TR-069 remote management: With TR-069 standard management specifications, service providers are able to manage and configure client devices remotely without manual intervention from end users. This unique feature allows the ZyXEL xxx to offer true “plug-and-play” experience and reduce deployment complexity for service providers to save operating and maintenance costs." On my modem, the service TR-069 uses the port 7547 and I cannot make it invisible, which is a [small] attack point for outsiders.

Le us face it: All ISPs need the equivalent to service TR-069 to, at least, remotely perform firmware updates on the modems they lease out to customers. But it is quite rare to hear them telling it.

After all, modern (and serious) IoT devices tend to desire to follow an analogous route, based on (1) the fact they are a vulnerability in the host LAN if their firmware cannot be updated when an exploit affecting them is found and (2) no one can reliably trust the vendor or the buyer of the IoT thingy to take care of firmware updates.

Is it conceivable that Alien may be a tiny computer (like a Raspberry pie), client on the LAN, whose task is to question the mother ship Arris from time to time, just to download and install new firmware updates ? That could be more secure that punching a hole in the firewall... but could still be compromised IMHO.

Since the MAC Address of Alien is tied to ARRIS because of the first six characters, it would not be a third-party device like an RPi.

Modems download their firmware at boot time from a TFTP server at the provider side. Every time you restart your modem, you download the firmware and will always get whatever version the provider deems appropriate. Loading firmware from the manufacturer is not supported, and after a restart it would re-download the provider's built version of the firmware anyhow. This is part of the DOCSIS2.0 standard (which carries forward into DOCSIS3.0).

So, no, I don't believe that your scenario could be considered legitimate.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top