Actual Behaviour:
Setup: I am running Pi-hole as part of a IOTStack (using docker-compose). In that stack I have Pi-hole and ZeroTier running, among other things. My router has its DNS address pointed to the device running Pi-hole.
My local network IP range is 192.168.3.*
. The ZeroTier IP range is 10.144.*.*
(if that matters).
In the Pi-hole clients list I can see mainly one client that seems to pass all the traffic. I do not recognize it and I cannot understand where it gets that IP: 10.245.91.146
.
When I execute the nmap -A 10.245.91.146
command, on the device running Pi-hole, I get the following answer:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 22:09 UTC
Nmap scan report for 10.245.91.146
Host is up (0.00062s latency).
All 1000 scanned ports on 10.245.91.146 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 0.09 ms 172.17.0.1
2 0.74 ms 10.245.91.146
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.09 seconds
I understand that 172.17.0.1
belongs to the Docker process, but I do not understand where 10.245.91.146
comes from...
Looking at the Pi-hole logs almost all traffic is coming from it, all the local requests from all the devices connected to the network.
The issue seems to be similar to this one, but I have all connections coming from yet another IP.
Expected Behaviour:
I'd like to understand what device it is/where does this IP come from. Ideally, I'd like to have the local devices show their true IPs so I can categorize them.
It feels like I have some proxy in between the devices and Pi-hole, maybe ZeroTier is messing with the network? I do not have the skills to investigate further.
Would anyone have an idea on how to debunk this situation or perhaps make it so the device IPs show up instead of this mystery one?