Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Discussion about various official QPKG software applications. Login required to view the contents.
Post Reply
touss1coup
New here
Posts: 6
Joined: Sun Jan 10, 2021 7:32 pm

Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by touss1coup »

Hello,

Since I installed QuFirewall app on my TS-228A, it records about 65 requests from IP 10.0.3.1 and the same quantity from IP 10.0.5.1 every hour (see below an extract of the log file from QuFirewall).
I tried to find where these requests come from but I was not able to identify the source because even when I unplug the network cable from the NAS itself, QuFirewall still detecting these requests.
So I don't know if they are real or not. I assume if they are real, they generated by the NAS itself but I don't why.
My NAS address is 192.168.0.23 so it is not in the same range.

Does somebody face the same issues or have some information about that? Thanks.

Jan 9 22:56:31 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:44:73:d6:40:00:ff:11:19:d6:0a:00 SRC=10.0.3.1 DST=224.0.0.251 LEN=68 TOS=00 PREC=0x00 TTL=255 ID=29654 DF PROTO=UDP SPT=5353 DPT=5353 LEN=48 MARK=10000
Jan 9 22:56:31 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:44:31:56:40:00:ff:11:5a:56:0a:00 SRC=10.0.5.1 DST=224.0.0.251 LEN=68 TOS=00 PREC=0x00 TTL=255 ID=12630 DF PROTO=UDP SPT=5353 DPT=5353 LEN=48 MARK=10000
Jan 9 23:00:17 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:44:40:00:40:11:fd:5b:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8772 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:17 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:55:40:00:40:11:4d:4a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52821 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:69:40:00:40:11:fd:36:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8809 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ad:40:00:40:11:4c:f2:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52909 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:6a:40:00:40:11:fd:35:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8810 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ae:40:00:40:11:4c:f1:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52910 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:23:1c:40:00:40:11:fc:83:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8988 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ee:40:00:40:11:4c:b1:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52974 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:d3:23:1e:40:00:40:11:fb:fc:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=211 TOS=00 PREC=0x00 TTL=64 ID=8990 DF PROTO=UDP SPT=138 DPT=138 LEN=191 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:d3:ce:f0:40:00:40:11:4c:2a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=211 TOS=00 PREC=0x00 TTL=64 ID=52976 DF PROTO=UDP SPT=138 DPT=138 LEN=191 MARK=10000
Jan 9 23:01:02 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:ef:23:a6:40:00:40:11:fb:58:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=239 TOS=00 PREC=0x00 TTL=64 ID=9126 DF PROTO=UDP SPT=138 DPT=138 LEN=219 MARK=10000
Jan 9 23:01:02 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:ef:d6:65:40:00:40:11:44:99:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=239 TOS=00 PREC=0x00 TTL=64 ID=54885 DF PROTO=UDP SPT=138 DPT=138 LEN=219 MARK=10000
Jan 9 23:05:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:71:40:00:40:11:a1:2e:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32369 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:96:40:00:40:11:00:0a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7062 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:d1:40:00:40:11:a0:ce:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32465 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:f2:40:00:40:11:ff:ad:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7154 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:d2:40:00:40:11:a0:cd:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32466 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:f3:40:00:40:11:ff:ac:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7155 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Robert_73
Starting out
Posts: 31
Joined: Mon Oct 31, 2016 9:11 am

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by Robert_73 »

10.0.3.1 and 10.0.5.1 are private ip addresses - they are not routable in internet. It means that traffic comes from Your local network and not from internet.

If You've unplugged QNAP and had the same requests - check Container Station, probable You have two containers running.
Model: TS-h1290FX-7302P FW: QuTS 5.1.4.x
BIOS Q09ARR09 ->
SSD: 12x7.68TB Samsung PM9A3 SSD (PCIe Gen4x4 U2), RAID6
QM2-2P-384A: 2x2TB Samsung 980 PRO, RAID1
RAM: 128GB (8x16GB) TS2GHR72V2B -> 256GB (8x32GB) M393A4K40EB3-CWEC0
GPU: Gigabyte GT 1030 LP 2G (GV-N1030D5-2GL)

-------
Model: TS-677-1600 FW: QTS 5.1.4.x
BIOS QZ14AR10 -> QZ14AR54 -> QZ14AR57, Ryzen 5 1600 -> Ryzen 7 2700
HDD: 4x10TB ST10000NM0086, EXT4, RAID6
M2: 2x2TB Samsung 860 EVO, RAID1
SSD: 2x2TB Samsung 870 EVO, RAID1
QM2-2S-220A: 2x1TB Samsung 860 EVO, RAID1
RAM: 64GB (4x16GB) M378A2K43BB1-CRC
GPU: Gigabyte 1050Ti 4GB (GV-N105TD5-4GD)

-------
Model: TS-253Pro FW: QTS 5.1.4.x
BIOS QW37AR32 -> QW37AR36
HDD: 2x6TB ST6000VN0001, EXT4, RAID1
RAM: 8GB (1x8GB) ADDS1600W8G11
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by OneCD »

Interesting that the MAC addresses keep changing for each entry. Also seems the destination is always a broadcast or multicast address. :'

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
touss1coup
New here
Posts: 6
Joined: Sun Jan 10, 2021 7:32 pm

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by touss1coup »

I stopped all applications running on the NAS (including Container station) and run another QuFirewall capture and it still the same.
I think also it is the result of a broadcast request but I cannot find the originator.

Any idea if another service or application can generate these requests?
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by OneCD »

touss1coup wrote: Wed Jan 13, 2021 6:22 am Any idea if another service or application can generate these requests?
touss1coup wrote: Sun Jan 10, 2021 7:51 pm IN=lxcbr0
...
IN=docker0
Both types are related to containerisation.

After you stopped everything, did you reboot the NAS to clear the active processes? If not, is anything of interest still running in your process list?

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
touss1coup
New here
Posts: 6
Joined: Sun Jan 10, 2021 7:32 pm

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by touss1coup »

Thanks to Robert_73 and OneCD, I found out where these requests come from.

Container Station created 2 virtual network cards with these addresses (10.0.3.1 and 10.0.5.1) during installation. I don't know why because I have no VM.
However, I could not remove NAT option from these virtual cards settings as there are managed by Container Station.

It also explain why I still get these requests when Container Station was stopped.
touss1coup
New here
Posts: 6
Joined: Sun Jan 10, 2021 7:32 pm

Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app

Post by touss1coup »

Topic solved
Post Reply

Return to “Official Apps”