All traffic coming from an unknown client

Nurgak · May 3, 2023, 4:26am

Actual Behaviour:

Setup: I am running Pi-hole as part of a IOTStack (using docker-compose). In that stack I have Pi-hole and ZeroTier running, among other things. My router has its DNS address pointed to the device running Pi-hole.

My local network IP range is 192.168.3.*. The ZeroTier IP range is 10.144.*.* (if that matters).

In the Pi-hole clients list I can see mainly one client that seems to pass all the traffic. I do not recognize it and I cannot understand where it gets that IP: 10.245.91.146.

Screenshot 2023-05-03 at 13.22.23

When I execute the nmap -A 10.245.91.146 command, on the device running Pi-hole, I get the following answer:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 22:09 UTC
Nmap scan report for 10.245.91.146
Host is up (0.00062s latency).
All 1000 scanned ports on 10.245.91.146 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

TRACEROUTE (using port 3306/tcp)
HOP RTT     ADDRESS
1   0.09 ms 172.17.0.1
2   0.74 ms 10.245.91.146

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.09 seconds

I understand that 172.17.0.1 belongs to the Docker process, but I do not understand where 10.245.91.146 comes from...

Looking at the Pi-hole logs almost all traffic is coming from it, all the local requests from all the devices connected to the network.

The issue seems to be similar to this one, but I have all connections coming from yet another IP.

Expected Behaviour:

I'd like to understand what device it is/where does this IP come from. Ideally, I'd like to have the local devices show their true IPs so I can categorize them.

It feels like I have some proxy in between the devices and Pi-hole, maybe ZeroTier is messing with the network? I do not have the skills to investigate further.

Would anyone have an idea on how to debunk this situation or perhaps make it so the device IPs show up instead of this mystery one?

Bucking_Horn · May 3, 2023, 7:34am

This isn't an issue with Pi-hole.
Your Pi-hole just reports source IP addresses as observed from DNS queries.

You'd have to investigate your network for further details.

You should note that 10.245.91.146 is a private IP address (as it falls into 10.0.0.0/8) , and a latency <1ms would suggest that it resides on your local network.

If you'd force me to speculate, my guess would be that you've somehow setup a zerotier gateway in your network, and that gateway is using 10.245.91.146 to NAT remote requests.

But that is really a question for zerotier and/or IOTStack folks.
You should consider consulting their documenation and support channels for more knowledgable support.

Nurgak · May 3, 2023, 7:53am

Bucking_Horn: Thank you for the insight and speculation.

I mean, everything works as expected: I don't have any issues with Pi-hole or ZeroTier, the requests are filtered as expected. It's just interesting that there was this IP in my Pi-hole logs.

I appreciate the advice. I will investigate ZeroTier, try to disable stuff and see what happens...

chrislph · May 3, 2023, 8:46am

A couple of extra things to try:

The command dig -x 10.245.91.146 might reveal a hostname on your network
Click on the IP in the Top Clients list and this will show you its queries in the Query Log. Perhaps some of those queries will reveal its purpose and help identify it

Nurgak · May 3, 2023, 9:35am

chrislph: Thank you.

Tried, unfortunately it did not show the hostname.
Looking at the queries it looks like pretty much everything, from all devices, goes through this client.

system · May 24, 2023, 9:35am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.