cancel
Showing results for 
Search instead for 
Did you mean: 

Port Forwarding Rule Added - Unattended

kevinsneddon
Newbie
Posts: 4
Registered: 29-03-2017

Port Forwarding Rule Added - Unattended

Hi Everyone,

 

My router was a bit glitchy today and seemed to restart itself and re-connect, around mid day. When I review the Logs I see a couple of interesting activities.  This morning I see the following;

 

11:09:55, 07 Apr.
( 28.640000) System up, firmware version: 4.7.5.1.83.8.226
11:09:39, 07 Apr.
( 13.310000) System start
11:07:27, 07 Apr.
(551609.880000) Port forwarding rule added via UPnP/TR064. Protocol: TCP, external ports: any-​>24090, internal ports: 32400, internal client: 192.168.1.75
10:07:26, 07 Apr.
(548009.090000) Port forwarding rule added via UPnP/TR064. Protocol: TCP, external ports: any-​>24090, internal ports: 32400, internal client: 192.168.1.75
09:07:25, 07 Apr.
(544407.320000) Port forwarding rule added via UPnP/TR064. Protocol: TCP, external ports: any-​>24090, internal ports: 32400, internal client: 192.168.1.75

 

This is at a time when I was out of the house, and nobody was logged on to the Router.  The IP address specified for the port forwarding, is a MyCloud storage device.  So first question is; How is it possible for my Router to add Port Forwarding with nobody logged on.

 

The second set of Log Events are;

 

11:50:19, 07 Apr.
(554182.020000) CWMP: Server URL: https://dbtpnhdm.bt.mo; Connecting as user: ACS username
11:50:19, 07 Apr.
(554182.010000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
11:50:08, 07 Apr.
(554171.210000) CWMP: session closed due to error: Could not resolve host
11:50:08, 07 Apr.
(554170.630000) CWMP: Initializing transaction for event code 4 VALUE CHANGE
11:50:08, 07 Apr.
(554170.580000) Wire Lan Port 3 up
11:50:08, 07 Apr.
(554170.580000) Wire Lan Port 2 up
11:50:08, 07 Apr.
(554170.580000) Wire Lan Port 1 up
11:49:56, 07 Apr.
(554158.710000) Wire Lan Port 3 down
11:49:56, 07 Apr.
(554158.700000) Wire Lan Port 2 down
11:49:56, 07 Apr.
(554158.700000) Wire Lan Port 1 down
11:49:46, 07 Apr.
(554148.410000) Wire Lan Port 3 up
11:11:43, 07 Apr.
BLOCKED 1 more packets (because of First packet is Invalid)
11:11:41, 07 Apr.
OUT: BLOCK [65] First packet is Invalid (Packet not in tcp window: TCP [192.168.1.80]:49757-​>[52.11.159.248]:443 on ppp3)
11:10:09, 07 Apr.
BLOCKED 1 more packets (because of Packet invalid in connection)
11:10:08, 07 Apr.
OUT: BLOCK [9] Packet invalid in connection (UDP [0.0.0.0]:68-​>[255.255.255.255]:67 on ath00)
11:27:37, 07 Apr.
OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 212.159.18.145-​>88.221.134.186 on ppp3)
11:27:09, 07 Apr.
BLOCKED 2 more packets (because of ICMP replay)
11:27:08, 07 Apr.
OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 212.159.18.145-​>88.221.134.234 on ppp3)
11:15:44, 07 Apr.
OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 212.159.18.145-​>37.77.186.131 on ppp3)
11:15:41, 07 Apr.
BLOCKED 3 more packets (because of ICMP replay)
11:15:40, 07 Apr.
OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 212.159.18.145-​>37.77.186.131 on ppp3)
11:10:52, 07 Apr.
ath10: STA 64:20:0c:57:3b:b0 IEEE 802.11: Client disassociated
11:10:19, 07 Apr.
ath10: STA 64:20:0c:57:3b:b0 IEEE 802.11: Client associated
11:10:13, 07 Apr.
ath00: STA 64:20:0c:57:3b:b0 IEEE 802.11: Client associated
11:10:11, 07 Apr.
ath00: STA 90:f1:aa:de:0d:47 IEEE 802.11: Client associated
11:10:10, 07 Apr.
ath00: STA 18:0c:ac:40:32:6c IEEE 802.11: Client associated

 

This then repeats a few times until the connection settles down.

 

I am on a STATIC IP because of issues with VPN connections and not sure if this is a factor.

 

Can anyone help with the unusual Port Forwarding activity (especially the "SYSTEM START" event when the Router didn't reboot)?

 

Thanks,

Kevin

 

4 REPLIES
Browni
Aspiring Hero
Posts: 2,283
Thanks: 777
Fixes: 46
Registered: 02-03-2016

Re: Port Forwarding Rule Added - Unattended

Have you got Plex media server running on the 192.168.1.75 device?
I must have been really bad in a previous life as this was my 3rd ISP in a row that used lithium.
Now you're stuck with me because my new ISP doesn't run a forum Cheesy
Community Veteran
Posts: 1,649
Thanks: 66
Fixes: 2
Registered: 17-06-2007

Re: Port Forwarding Rule Added - Unattended

UPnP is Plug and Play - which suggests that something on that internal IP address has started up and opened the ports on the router and 32400 is the default port for Plex Media Server.

 

Champnet
Aspiring Pro
Posts: 472
Thanks: 85
Fixes: 1
Registered: 25-07-2007

Re: Port Forwarding Rule Added - Unattended

https://dbtpnhdm.bt.mo/ apparently is a BT update site.

so possibly your router has been updated which may have automatically installed the rule.

might be worth looking around the internet for details of the update.

 

Community Veteran
Posts: 1,649
Thanks: 66
Fixes: 2
Registered: 17-06-2007

Re: Port Forwarding Rule Added - Unattended

The second set look similar to TR069 logs :

 

12:24:14, 08 Apr. (2136351.650000) CWMP: Initializing transaction for event code 2 PERIODIC
06:44:47, 08 Apr. (2115985.530000) CWMP: session closed due to error: Could not resolve host
06:44:47, 08 Apr. (2115985.480000) CWMP: Server URL: https://ceased.tr69.p; Connecting as user: ACS username
06:44:47, 08 Apr. (2115985.470000) CWMP: Session start now. Event code(s): '0 BOOTSTRAP,2 PERIODIC,4 VALUE CHANGE'
12:24:14, 07 Apr. (2049952.650000) CWMP: Initializing transaction for event code 2 PERIODIC
06:44:47, 07 Apr. (2029585.200000) CWMP: session closed due to error: Could not resolve host
06:44:47, 07 Apr. (2029585.150000) CWMP: Server URL: https://ceased.tr69.p; Connecting as user: ACS username
06:44:46, 07 Apr. (2029585.140000) CWMP: Session start now. Event code(s): '0 BOOTSTRAP,2 PERIODIC,4 VALUE CHANGE'
12:24:13, 06 Apr. (1963552.650000) CWMP: Initializing transaction for event code 2 PERIODIC
06:44:45, 06 Apr. (1943184.870000) CWMP: session closed due to error: Could not resolve host

 

So I think there are two things going on.

 

1) The Plex Media Server is opening ports using UPnP which is probably perfectly normal...

2) The router is doing TR069 type activities which is perfectly normal