3 Home Signal Box - Destination IP?

[Zoom7000]

I have very poor signal with the 3 network at work. They offer a device called the 3 signal box which they sent out to me and it works flawlessly at home. However, at work, it seems to be blocked by my ISPs firewall. I've asked them and they are happy to open the required ports but they need a destination address. I called 3 but they won't give me the destination address, instead telling me to open my firewall (Something I can't do anyway!) All they gave me was the ports I needed to open:

TCP - 80, 443
UDP - 53
NTP - 123
ISAKMP - 500
ESP - 4500

My question is, is it possible to find out where the box is trying to get to? I tried installing Wireshark at home and at work and isolating the IP address of the box, but I just got lost in the results it spewed out!

[Tomo]

As long as the ports are open to all IP addresses then it doesn't matter where it's going, unless your IT guy at work wants to restrict outbound ports to certain destinations?

[Zoom7000]

As long as the ports are open to all IP addresses then it doesn't matter where it's going, unless your IT guy at work wants to restrict outbound ports to certain destinations?

 

Yeah, I work at a school and the local firewall is controlled by an external 3rd party. I've been advised that the TCP, UDP and NTP ports are unrestricted, however, the remaining ports are closed and will only be opened to a specific destination. I just wanted to know if there was a way to capture the destination IP as the box tries to contact it.

[Tomo]

The problem is finding the IP address it's using, I have one at home but it doesn't show up in any network scans.

[Brian M. Veteran]

Looking at my DNS server log, it attempts to connect to emtosegw.three.co.uk - but there have been lookups for emotseg[a-z].three.co.uk over the past month or so.

 

All of these domains seem to resolve to 92.41.252.3

[nabz0r Veteran]

I had a similar problem at work with 3 too. I didn't want this service to be open for the whole world instead I called them and they didn't gave me the IP's, etc. So I opened for only 3 networks in out F5 and firewalls. Somethingn like 123.456.0.0/12 since this was the range of the phones of our company it worked without problems and it was not open for the whole world to access though it still was open.

 

You can probably do something similar, open for an entire subnet. Give your IT guy the range with the ports and you'd be good. Your IT guy is happy, your ISP who wont give you the destination is happy and you are happy too, problem solved! ;)

[+BudMan MVC]

Where were you sniffing - you would have to be at the gateway sniffing to see where it was going. Sniffing on your machine wouldn't show you were some other device was going unless you were on a hub network, or span port, etc.

It seems highly unlikely that they not tell you what networks they are on - I would suggest you call back, and say you need the network blocks as well as the ports since your IT guys will not open up those ports to the entire internet.

Even though I would assume 80 and 443 already are, and the dns and ntp shouldn't really be a concern..

[Zoom7000]

Looking at my DNS server log, it attempts to connect to emtosegw.three.co.uk - but there have been lookups for emotseg[a-z].three.co.uk over the past month or so.

 

All of these domains seem to resolve to 92.41.252.3

Thanks for that. I will try that address out.

 

Where were you sniffing - you would have to be at the gateway sniffing to see where it was going. Sniffing on your machine wouldn't show you were some other device was going unless you were on a hub network, or span port, etc.

It seems highly unlikely that they not tell you what networks they are on - I would suggest you call back, and say you need the network blocks as well as the ports since your IT guys will not open up those ports to the entire internet.

Even though I would assume 80 and 443 already are, and the dns and ntp shouldn't really be a concern..

I tried calling several times and speaking to several different people. The only information they would give me is what ports need to be opened. They advised that these ports need to be opened for access to the entire Internet. The destination IP address is not information that they release to customers. :pinch:

 

Do you know of any programs that will allow me to sniff at gateway level? As far as I can see, Wireshark only supports local interfaces. I'll do the sniff at home as I have far fewer devices than at work.

[+BudMan MVC]

What is your router? Is it running 3rd party firmware? What switch(es) do you have? If they are smart/managed they should support span ports.. Do you have any old hubs, laying around?

[Brian M. Veteran]

What is your router? Is it running 3rd party firmware? What switch(es) do you have? If they are smart/managed they should support span ports.. Do you have any old hubs, laying around?

 

It's a school network, so I doubt he has access to changing them. It's just a case of saying "I need port xxx open on 111.222.333.444" and having them do it.

[+BudMan MVC]

^ what??

"Do you know of any programs that will allow me to sniff at gateway level?"

"I'll do the sniff at home as I have far fewer devices than at work."

This is what my comment was direct too.. This has nothing to with allowing any specific traffic.

[+John Teacake MVC]

Is this three mobile in the UK? You might have all manor of problems with this as they tend to be using Carrier grade NAT. If you want I can try get proper technical contact within Three so you can ask the questions there. 

 

You could connect it to another device, Go to something like http://www.whatismyip.com/

 

Then enter that here....

 

http://www.nirsoft.net/utils/ipnetinfo.html

 

That will give you the block they assign to the Three Mobile. Then ask your Firewall guys to open up firewalls to that range. Its not the best but it might work. You could then tell the firewall guys to put a log on the firewall rule and see what ports its using and tie it down that way. 

 

Or just do a traceroute from Three Network box to your network. See what its route is. Maybe post it here. We could have a good guess ;-) 

[Zoom7000]

What is your router? Is it running 3rd party firmware? What switch(es) do you have? If they are smart/managed they should support span ports.. Do you have any old hubs, laying around?

I don't have any switches at home. My router is a Virgin Media Super hub 2.0. Running stock Virgin Media firmware.

[+BudMan MVC]

Well your out of luck then - there is noway to sniff then.. Does your PC have 2 interfaces, you could bridge them and put the device on the other nic and your pc connected to the router lan ports.

[+John Teacake MVC]

Sorry I completely mis understood what you were asking,

 

However the easiest thing is just go to What is my IP, Get the IP check the IP Block for three. Give the device a IP on your network and open up the firewall from that one IP to the Three IP Block. That would work. It would most likely be load balanced anyway so you have the whole three block covered.

 

Your talking about Femtocells right? 

 

http://www.tubblog.co.uk/blog/2013/05/13/using-a-three-home-signal-femtocell-to-improve-a-mobile-phone-signal-2/

[+BudMan MVC]

How is checking whats my IP going to tell him what IP(s) this device is going too??

Does your router show you the state table? If so you could find where the device is going in there..

example

If it was me - I would pick up a cheap smart switch that does span ports, return it when done with the sniff ;) Bridge 2 interfaces on your PC, pick up 2nd nic if need be. If your PC has 2 nics -- cheap nics can be had for like $5-10. You could then sniff and know exactly what the device is doing.

Once you have the IPs the thing is going to, then you can see who owns them and give your IT guys the netblocks vs the IP.. So lets pick for example that IP on my state table.

162.220.220.76:5938 <- 192.168.1.100:56861

If I do a whois for 162.220.220.76

NetRange: 162.220.220.0 - 162.220.223.255

CIDR: 162.220.220.0/22

NetName: ANEXIA-US

I would give the IT guys hey need port 5938 tcp to 162.220.220.0/22

If anyone is curious what that connection is, that is teamviewer.

And so and for your other IPs it connects too - they might all be in 1 block, they might be different. The NTP is most likely just uses a pool, which is going to be pretty much impossible to find IPs - because ntp pools change all the time. Pretty much every time you query them. But they could do it the other way around, and vs letting the whole network go to any NTP server on the internet, they could let this devices IP only go to any ntp server.

As mentioned - why can your IT guys not help you.. You plug it in at work/school - wherever your wanting to use this. And they should be able to look at the firewall logs and see exactly where the thing tried to go on the internet.

[+John Teacake MVC]

It routes all the traffic through a Three (Network in the UK) IP address If I am not mistaken. So connect it and check whatismyip on a mobile device.

As mentioned - why can your IT guys not help you.. You plug it in at work/school - wherever your wanting to use this. And they should be able to look at the firewall logs and see exactly where the thing tried to go on the internet.

 

^ This :rolleyes:

[+BudMan MVC]

"So connect it and check whatismyip on a mobile device."

Doh!!!! ;) Wasn't thinking about the device connected to it, and then going down the tunnel it creates.. But the IP the device uses through the tunnel could be completely different than the IPs used to create the tunnel.

But that might work -- could for sure test to see at home this way. Once you have this IP and block it is one, setup your router at home to only allow access to this network. But with the very limited device he has, your shooting in the dark since doubt his current router lets him filter outbound access to specific IPs, etc.??

[+John Teacake MVC]

:laugh: I should have given more detail! Just connect the mobile device to the femtocell, Visit what is my IP that will give you three block. Ask your IT department to tie the firewall down to your femtocell IP on the network and the IP block. That should at least give you a start. With the femto cell you can authorize devices so you mange it from that point of security anyway.

 

Give this to your IT Guys.....

 

 

inetnum:        188.29.0.0 - 188.29.255.255
netname:        H3GUK-S3
descr:          H3GUK Subscribe Block3
country:        GB
admin-c:        HURA1-RIPE
tech-c:         HURA1-RIPE
status:         ASSIGNED PA
mnt-by:         H3GUK-MNT
changed:         20110310
changed:         20130926
changed:         20131028
source:         RIPE

role:           H3G UK RIPE Admin
address:        Hutchison 3G UK Ltd
address:        Star House
address:        20 Grenfell Road
address:        Maidenhead,
address:        SL6 1EH
address:        United Kingdom
e-mail:         
mnt-by:         H3GUK-MNT
admin-c:        TM7656-RIPE
admin-c:        DV3702-RIPE
tech-c:         TM7656-RIPE
tech-c:         NA527-RIPE
tech-c:         GM16969-RIPE
abuse-mailbox:  
nic-hdl:        HURa1-RIPE
changed:         20080617
changed:         20130514
changed:         20081125
changed:         20090324
changed:         20130220
changed:         20130926
changed:         20140410
source:         RIPE

% Information related to '188.28.0.0/15AS21327'

route:          188.28.0.0/15
descr:          Aggregate /15 route from 188.28.0.0/14 (H3GUK-S3)
origin:         AS21327
mnt-by:         H3GUK-MNT
mnt-routes:     H3GUK-MNT
changed:         20100409
changed:         20110329
notify:         
source:         RIPE

% Information related to '188.28.0.0/15AS60339'

route:          188.28.0.0/15
descr:          H3G UK IPv4 address space
origin:         AS60339
mnt-by:         H3GUK-MNT
changed:         20131022
source:         RIPE

 

[Zoom7000]

As mentioned - why can your IT guys not help you.. You plug it in at work/school - wherever your wanting to use this. And they should be able to look at the firewall logs and see exactly where the thing tried to go on the internet.

At this point I should clarify that I am the IT guy at school! We have a firewall onsite that is controlled directly by the ISP. So I don't have access to the firewall to check any logs. I could maybe ask the ISP to check the logs, I will try that on Monday.

 

I have the new version of the Three Home Signal Box, it's this one here:

 

 

ChuckFinley: Is 188.28.0.0/15 the correct IP block that I need to unblock the ports on?

 

I've done a whatismyip scan and I get a 92.40.x.x address.

[+BudMan MVC]

Well that is the whole

inetnum: 92.40.0.0 - 92.40.255.255

netname: H3GUK

descr: Mobile Broadband Service

country: GB

[+John Teacake MVC]

Was out of the country with rubbish Hotel Wifi, Limited access to internet. Beers on Tap etc etc. I have PM'd you. 

[tonyjr]

It uses an IPsec tunnel to 92.41.252.174.

 

You may need to also allow protocol 50 and 51 to be used by the internal IP of the three box. This one usually catches people out with IPsec.

So - assign the Three box a Static IP and ask the ISP to allow the following FROM that IP TO 0.0.0.0/0 (or 92.41.252.174/32 if they are picky):

 

UDP/500

UDP/4500

Protocol 50

Protocol 51

 

TonyJr

[+John Teacake MVC]

It uses an IPsec tunnel to 92.41.252.174.

 

You may need to also allow protocol 50 and 51 to be used by the internal IP of the three box. This one usually catches people out with IPsec.

So - assign the Three box a Static IP and ask the ISP to allow the following FROM that IP TO 0.0.0.0/0 (or 92.41.252.174/32 if they are picky):

 

UDP/500

UDP/4500

Protocol 50

Protocol 51

 

TonyJr

 

 

Good answer!!

 

That resolves to 92.41.252.174.sub.mbb.three.co.uk .....

 

% This is the RIPE Database query service.

% The objects are in RPSL format.

%

% The RIPE Database is subject to Terms and Conditions.

% See http://www.ripe.net/db/support/db-terms-conditions.pdf

 

% Information related to '92.40.0.0 - 92.41.255.255'

 

% Abuse contact for '92.40.0.0 - 92.41.255.255' is 'abuse@three.co.uk'

 

inetnum:        92.40.0.0 - 92.41.255.255

org:            ORG-HUL1-RIPE

admin-c:        HURa1-RIPE

netname:        UK-H3G-20071121

descr:          Hutchison 3G UK Limited

country:        GB

tech-c:         HURa1-RIPE

status:         ALLOCATED PA

remarks:        ** Please send all queries regarding spams or abuse

remarks:        ** to abuse@three.co.uk

mnt-by:         RIPE-NCC-HM-MNT

mnt-lower:      H3GUK-MNT

mnt-routes:     H3GUK-MNT

changed:        hostmaster@ripe.net 20071121

changed:        bitbucket@ripe.net 20071128

changed:        bitbucket@ripe.net 20071207

changed:        bitbucket@ripe.net 20071207

changed:        bitbucket@ripe.net 20091015

changed:        bit-bucket@ripe.net 20130930

source:         RIPE

 

organisation:   ORG-HUL1-RIPE

org-name:       Hutchison 3G UK Limited

org-type:       LIR

address:        Hutchison 3G UK Limited

address:        Star House

                20 Grenfell Rd

address:        SL6 1EH

address:        Maidenhead

address:        UNITED KINGDOM

phone:          +441628765000

fax-no:         +441189024031

admin-c:        PANO1-RIPE

admin-c:        HURa1-RIPE

admin-c:        NA527-RIPE

admin-c:        JC6695-RIPE

admin-c:        HURa1-RIPE

mnt-ref:        H3GUK-MNT

mnt-ref:        RIPE-NCC-HM-MNT

tech-c:         HURa1-RIPE

mnt-by:         RIPE-NCC-HM-MNT

abuse-c:        HURa1-RIPE

source:         RIPE

e-mail:         ripe@thee.co.uk

changed:        bitbucket@ripe.net 20140415

 

role:           H3G UK RIPE Admin

address:        Hutchison 3G UK Ltd

address:        Star House

address:        20 Grenfell Road

address:        Maidenhead,

address:        SL6 1EH

address:        United Kingdom

e-mail:         ripe@three.co.uk

mnt-by:         H3GUK-MNT

admin-c:        TM7656-RIPE

admin-c:        DV3702-RIPE

tech-c:         TM7656-RIPE

tech-c:         NA527-RIPE

tech-c:         GM16969-RIPE

abuse-mailbox:  abuse@three.co.uk

nic-hdl:        HURa1-RIPE

changed:        eddy.young2@three.co.uk 20080617

changed:        nikolay.abromov@three.co.uk 20130514

changed:        zoltan.gelencser@three.co.uk 20081125

changed:        ejaz.ahmad@ericsson.com 20090324

changed:        nikolay.abromov@three.co.uk 20130220

changed:        george.manousakis@three.co.uk 20130926

changed:        nikolay.abromov@three.co.uk 20140410

source:         RIPE

 

% Information related to '92.40.0.0/15AS21327'

 

route:          92.40.0.0/15

descr:          Aggregate Route

origin:         AS21327

mnt-by:         H3GUK-MNT

changed:        eddy.young2@three.co.uk 20071121

changed:        zoltan.gelencser@three.co.uk 20081125

changed:        zoltan.gelencser@three.co.uk 20081211

changed:        george.manousakis@three.co.uk 20130926

source:         RIPE

 

% Information related to '92.40.0.0/15AS60339'

 

route:          92.40.0.0/15

descr:          H3G UK IPv4 address space

origin:         AS60339

mnt-by:         H3GUK-MNT

changed:        george.manousakis@three.co.uk 20131022

source:         RIPE

 

% This query was served by the RIPE Database Query Service version 1.75 (DB-3)

 

 

 

[tonyjr]

I have done a packet sniff to the new three home signal box, through a reboot. It will do the usual DHCP, NTP, ping of Gateway and one DNS lookup for beta-recover.ubiquisys.com which returns 212.111.60.5. The device never connects to that address. It does a few multicast group leaves and two joins, then begins the tunnel setup. This is to one many different addresses in the 92.40.0.0/7 range - it appears to change on reboot randomly.

 

I am going to do a factory reset on it and see what extra information I can gather from a sniff on that data. I will have to do that tomorrow though, as I can't get in the loft where the box is at the moment.

 

There is some kind of web interface on port 8082, but it asks for an unknown username and password...

 

Tony