Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Discussion about various official QPKG software applications. Login required to view the contents.
Post Reply
touss1coup
New here
Posts: 6
Joined: Sun Jan 10, 2021 7:32 pm

Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by touss1coup » Sun Jan 10, 2021 7:51 pm

Hello,

Since I installed QuFirewall app on my TS-228A, it records about 65 requests from IP 10.0.3.1 and the same quantity from IP 10.0.5.1 every hour (see below an extract of the log file from QuFirewall).
I tried to find where these requests come from but I was not able to identify the source because even when I unplug the network cable from the NAS itself, QuFirewall still detecting these requests.
So I don't know if they are real or not. I assume if they are real, they generated by the NAS itself but I don't why.
My NAS address is 192.168.0.23 so it is not in the same range.

Does somebody face the same issues or have some information about that? Thanks.

Jan 9 22:56:31 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:44:73:d6:40:00:ff:11:19:d6:0a:00 SRC=10.0.3.1 DST=224.0.0.251 LEN=68 TOS=00 PREC=0x00 TTL=255 ID=29654 DF PROTO=UDP SPT=5353 DPT=5353 LEN=48 MARK=10000
Jan 9 22:56:31 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:44:31:56:40:00:ff:11:5a:56:0a:00 SRC=10.0.5.1 DST=224.0.0.251 LEN=68 TOS=00 PREC=0x00 TTL=255 ID=12630 DF PROTO=UDP SPT=5353 DPT=5353 LEN=48 MARK=10000
Jan 9 23:00:17 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:44:40:00:40:11:fd:5b:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8772 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:17 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:55:40:00:40:11:4d:4a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52821 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:69:40:00:40:11:fd:36:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8809 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ad:40:00:40:11:4c:f2:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52909 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:6a:40:00:40:11:fd:35:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8810 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ae:40:00:40:11:4c:f1:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52910 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:23:1c:40:00:40:11:fc:83:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8988 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ee:40:00:40:11:4c:b1:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52974 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:d3:23:1e:40:00:40:11:fb:fc:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=211 TOS=00 PREC=0x00 TTL=64 ID=8990 DF PROTO=UDP SPT=138 DPT=138 LEN=191 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:d3:ce:f0:40:00:40:11:4c:2a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=211 TOS=00 PREC=0x00 TTL=64 ID=52976 DF PROTO=UDP SPT=138 DPT=138 LEN=191 MARK=10000
Jan 9 23:01:02 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:ef:23:a6:40:00:40:11:fb:58:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=239 TOS=00 PREC=0x00 TTL=64 ID=9126 DF PROTO=UDP SPT=138 DPT=138 LEN=219 MARK=10000
Jan 9 23:01:02 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:ef:d6:65:40:00:40:11:44:99:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=239 TOS=00 PREC=0x00 TTL=64 ID=54885 DF PROTO=UDP SPT=138 DPT=138 LEN=219 MARK=10000
Jan 9 23:05:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:71:40:00:40:11:a1:2e:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32369 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:96:40:00:40:11:00:0a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7062 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:d1:40:00:40:11:a0:ce:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32465 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:f2:40:00:40:11:ff:ad:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7154 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:d2:40:00:40:11:a0:cd:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32466 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:f3:40:00:40:11:ff:ac:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7155 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000

Robert_73
Starting out
Posts: 30
Joined: Mon Oct 31, 2016 9:11 am

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by Robert_73 » Sun Jan 10, 2021 11:39 pm

10.0.3.1 and 10.0.5.1 are private ip addresses - they are not routable in internet. It means that traffic comes from Your local network and not from internet.

If You've unplugged QNAP and had the same requests - check Container Station, probable You have two containers running.
Model: TS-677-1600 BIOS QZ14AR10 FW: 4.5.3.x
HDD: 4 x 10TB Seagate Exos X10 (ST10000NM0086), EXT4, RAID6
M2: 2 x 2TB Samsung 860 EVO, EXT4, RAID1
SSD: 2 x 2TB Samsung 870 EVO, EXT4, RAID1
QM2-2S-220A: 2 x 1TB Samsung 860 EVO, EXT4, RAID1
RAM: 64GB (4 x 16GB) SAMSUNG M378A2K43BB1-CRC
GPU: Gigabyte GeForce 1050Ti 4GB (GV-N105TD5-4GD)

-------
Model: TS-253Pro BIOS QW37AR32 FW: 4.5.3.x
HDD: 2 x 6TB Seagate Enterprise NAS (ST6000VN0001), EXT4, RAID1
RAM: 8GB (1 x 8GB) ADATA ADDS1600W8G11

User avatar
OneCD
Ask me anything
Posts: 8973
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by OneCD » Mon Jan 11, 2021 5:47 am

Interesting that the MAC addresses keep changing for each entry. Also seems the destination is always a broadcast or multicast address. :'

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

touss1coup
New here
Posts: 6
Joined: Sun Jan 10, 2021 7:32 pm

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by touss1coup » Wed Jan 13, 2021 6:22 am

I stopped all applications running on the NAS (including Container station) and run another QuFirewall capture and it still the same.
I think also it is the result of a broadcast request but I cannot find the originator.

Any idea if another service or application can generate these requests?

User avatar
OneCD
Ask me anything
Posts: 8973
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by OneCD » Wed Jan 13, 2021 6:29 am

touss1coup wrote:
Wed Jan 13, 2021 6:22 am
Any idea if another service or application can generate these requests?
touss1coup wrote:
Sun Jan 10, 2021 7:51 pm
IN=lxcbr0
...
IN=docker0
Both types are related to containerisation.

After you stopped everything, did you reboot the NAS to clear the active processes? If not, is anything of interest still running in your process list?

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

touss1coup
New here
Posts: 6
Joined: Sun Jan 10, 2021 7:32 pm

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by touss1coup » Sun Jan 17, 2021 5:42 am

Thanks to Robert_73 and OneCD, I found out where these requests come from.

Container Station created 2 virtual network cards with these addresses (10.0.3.1 and 10.0.5.1) during installation. I don't know why because I have no VM.
However, I could not remove NAT option from these virtual cards settings as there are managed by Container Station.

It also explain why I still get these requests when Container Station was stopped.

touss1coup
New here
Posts: 6
Joined: Sun Jan 10, 2021 7:32 pm

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by touss1coup » Sun Jan 17, 2021 5:44 am

Topic solved

Post Reply

Return to “Official Apps”