Hello,
Since I installed QuFirewall app on my TS-228A, it records about 65 requests from IP 10.0.3.1 and the same quantity from IP 10.0.5.1 every hour (see below an extract of the log file from QuFirewall).
I tried to find where these requests come from but I was not able to identify the source because even when I unplug the network cable from the NAS itself, QuFirewall still detecting these requests.
So I don't know if they are real or not. I assume if they are real, they generated by the NAS itself but I don't why.
My NAS address is 192.168.0.23 so it is not in the same range.
Does somebody face the same issues or have some information about that? Thanks.
Jan 9 22:56:31 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:44:73:d6:40:00:ff:11:19:d6:0a:00 SRC=10.0.3.1 DST=224.0.0.251 LEN=68 TOS=00 PREC=0x00 TTL=255 ID=29654 DF PROTO=UDP SPT=5353 DPT=5353 LEN=48 MARK=10000
Jan 9 22:56:31 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:44:31:56:40:00:ff:11:5a:56:0a:00 SRC=10.0.5.1 DST=224.0.0.251 LEN=68 TOS=00 PREC=0x00 TTL=255 ID=12630 DF PROTO=UDP SPT=5353 DPT=5353 LEN=48 MARK=10000
Jan 9 23:00:17 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:44:40:00:40:11:fd:5b:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8772 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:17 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:55:40:00:40:11:4d:4a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52821 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:69:40:00:40:11:fd:36:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8809 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ad:40:00:40:11:4c:f2:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52909 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:22:6a:40:00:40:11:fd:35:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8810 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ae:40:00:40:11:4c:f1:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52910 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:23:1c:40:00:40:11:fc:83:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8988 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:ce:ee:40:00:40:11:4c:b1:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=52974 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:d3:23:1e:40:00:40:11:fb:fc:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=211 TOS=00 PREC=0x00 TTL=64 ID=8990 DF PROTO=UDP SPT=138 DPT=138 LEN=191 MARK=10000
Jan 9 23:00:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:d3:ce:f0:40:00:40:11:4c:2a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=211 TOS=00 PREC=0x00 TTL=64 ID=52976 DF PROTO=UDP SPT=138 DPT=138 LEN=191 MARK=10000
Jan 9 23:01:02 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:ef:23:a6:40:00:40:11:fb:58:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=239 TOS=00 PREC=0x00 TTL=64 ID=9126 DF PROTO=UDP SPT=138 DPT=138 LEN=219 MARK=10000
Jan 9 23:01:02 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:ef:d6:65:40:00:40:11:44:99:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=239 TOS=00 PREC=0x00 TTL=64 ID=54885 DF PROTO=UDP SPT=138 DPT=138 LEN=219 MARK=10000
Jan 9 23:05:19 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:71:40:00:40:11:a1:2e:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32369 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:19 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:96:40:00:40:11:00:0a:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7062 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:d1:40:00:40:11:a0:ce:0a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32465 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:f2:40:00:40:11:ff:ad:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7154 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=11 ACT=DROP IN=lxcbr0 OUT= MAC=45:00:00:4e:7e:d2:40:00:40:11:a00a:00 SRC=10.0.3.1 DST=10.0.3.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=32466 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Jan 9 23:05:21 NAS-Rulian RULE=12 ACT=DROP IN=docker0 OUT= MAC=45:00:00:4e:1b:f3:40:00:40:11:ff:ac:0a:00 SRC=10.0.5.1 DST=10.0.5.255 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=7155 DF PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=10000
Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app
-
- New here
- Posts: 6
- Joined: Sun Jan 10, 2021 7:32 pm
-
- Starting out
- Posts: 31
- Joined: Mon Oct 31, 2016 9:11 am
Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app
10.0.3.1 and 10.0.5.1 are private ip addresses - they are not routable in internet. It means that traffic comes from Your local network and not from internet.
If You've unplugged QNAP and had the same requests - check Container Station, probable You have two containers running.
If You've unplugged QNAP and had the same requests - check Container Station, probable You have two containers running.
Model: TS-h1290FX-7302P FW: QuTS 5.1.4.x
BIOS Q09ARR09 ->
SSD: 12x7.68TB Samsung PM9A3 SSD (PCIe Gen4x4 U2), RAID6
QM2-2P-384A: 2x2TB Samsung 980 PRO, RAID1
RAM: 128GB (8x16GB) TS2GHR72V2B -> 256GB (8x32GB) M393A4K40EB3-CWEC0
GPU: Gigabyte GT 1030 LP 2G (GV-N1030D5-2GL)
-------
Model: TS-677-1600 FW: QTS 5.1.4.x
BIOS QZ14AR10 -> QZ14AR54 -> QZ14AR57, Ryzen 5 1600 -> Ryzen 7 2700
HDD: 4x10TB ST10000NM0086, EXT4, RAID6
M2: 2x2TB Samsung 860 EVO, RAID1
SSD: 2x2TB Samsung 870 EVO, RAID1
QM2-2S-220A: 2x1TB Samsung 860 EVO, RAID1
RAM: 64GB (4x16GB) M378A2K43BB1-CRC
GPU: Gigabyte 1050Ti 4GB (GV-N105TD5-4GD)
-------
Model: TS-253Pro FW: QTS 5.1.4.x
BIOS QW37AR32 -> QW37AR36
HDD: 2x6TB ST6000VN0001, EXT4, RAID1
RAM: 8GB (1x8GB) ADDS1600W8G11
BIOS Q09ARR09 ->
SSD: 12x7.68TB Samsung PM9A3 SSD (PCIe Gen4x4 U2), RAID6
QM2-2P-384A: 2x2TB Samsung 980 PRO, RAID1
RAM: 128GB (8x16GB) TS2GHR72V2B -> 256GB (8x32GB) M393A4K40EB3-CWEC0
GPU: Gigabyte GT 1030 LP 2G (GV-N1030D5-2GL)
-------
Model: TS-677-1600 FW: QTS 5.1.4.x
BIOS QZ14AR10 -> QZ14AR54 -> QZ14AR57, Ryzen 5 1600 -> Ryzen 7 2700
HDD: 4x10TB ST10000NM0086, EXT4, RAID6
M2: 2x2TB Samsung 860 EVO, RAID1
SSD: 2x2TB Samsung 870 EVO, RAID1
QM2-2S-220A: 2x1TB Samsung 860 EVO, RAID1
RAM: 64GB (4x16GB) M378A2K43BB1-CRC
GPU: Gigabyte 1050Ti 4GB (GV-N105TD5-4GD)
-------
Model: TS-253Pro FW: QTS 5.1.4.x
BIOS QW37AR32 -> QW37AR36
HDD: 2x6TB ST6000VN0001, EXT4, RAID1
RAM: 8GB (1x8GB) ADDS1600W8G11
- OneCD
- Guru
- Posts: 12037
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app
Interesting that the MAC addresses keep changing for each entry. Also seems the destination is always a broadcast or multicast address.
-
- New here
- Posts: 6
- Joined: Sun Jan 10, 2021 7:32 pm
Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app
I stopped all applications running on the NAS (including Container station) and run another QuFirewall capture and it still the same.
I think also it is the result of a broadcast request but I cannot find the originator.
Any idea if another service or application can generate these requests?
I think also it is the result of a broadcast request but I cannot find the originator.
Any idea if another service or application can generate these requests?
- OneCD
- Guru
- Posts: 12037
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app
touss1coup wrote: ↑Wed Jan 13, 2021 6:22 am Any idea if another service or application can generate these requests?
Both types are related to containerisation.
After you stopped everything, did you reboot the NAS to clear the active processes? If not, is anything of interest still running in your process list?
-
- New here
- Posts: 6
- Joined: Sun Jan 10, 2021 7:32 pm
Re: Continuous request from IP 10.0.3.1 and 10.0.5.1 by QuFirewall app
Thanks to Robert_73 and OneCD, I found out where these requests come from.
Container Station created 2 virtual network cards with these addresses (10.0.3.1 and 10.0.5.1) during installation. I don't know why because I have no VM.
However, I could not remove NAT option from these virtual cards settings as there are managed by Container Station.
It also explain why I still get these requests when Container Station was stopped.
Container Station created 2 virtual network cards with these addresses (10.0.3.1 and 10.0.5.1) during installation. I don't know why because I have no VM.
However, I could not remove NAT option from these virtual cards settings as there are managed by Container Station.
It also explain why I still get these requests when Container Station was stopped.
-
- New here
- Posts: 6
- Joined: Sun Jan 10, 2021 7:32 pm