Zoom7000 Posted October 3, 2014 Share Posted October 3, 2014 I have very poor signal with the 3 network at work. They offer a device called the 3 signal box which they sent out to me and it works flawlessly at home. However, at work, it seems to be blocked by my ISPs firewall. I've asked them and they are happy to open the required ports but they need a destination address. I called 3 but they won't give me the destination address, instead telling me to open my firewall (Something I can't do anyway!) All they gave me was the ports I needed to open:TCP - 80, 443UDP - 53NTP - 123ISAKMP - 500ESP - 4500My question is, is it possible to find out where the box is trying to get to? I tried installing Wireshark at home and at work and isolating the IP address of the box, but I just got lost in the results it spewed out! Link to comment Share on other sites More sharing options...
Tomo Posted October 3, 2014 Share Posted October 3, 2014 As long as the ports are open to all IP addresses then it doesn't matter where it's going, unless your IT guy at work wants to restrict outbound ports to certain destinations? Link to comment Share on other sites More sharing options...
Zoom7000 Posted October 3, 2014 Author Share Posted October 3, 2014 As long as the ports are open to all IP addresses then it doesn't matter where it's going, unless your IT guy at work wants to restrict outbound ports to certain destinations? Yeah, I work at a school and the local firewall is controlled by an external 3rd party. I've been advised that the TCP, UDP and NTP ports are unrestricted, however, the remaining ports are closed and will only be opened to a specific destination. I just wanted to know if there was a way to capture the destination IP as the box tries to contact it. Link to comment Share on other sites More sharing options...
Tomo Posted October 3, 2014 Share Posted October 3, 2014 The problem is finding the IP address it's using, I have one at home but it doesn't show up in any network scans. Link to comment Share on other sites More sharing options...
Brian M. Veteran Posted October 3, 2014 Veteran Share Posted October 3, 2014 Looking at my DNS server log, it attempts to connect to emtosegw.three.co.uk - but there have been lookups for emotseg[a-z].three.co.uk over the past month or so. All of these domains seem to resolve to 92.41.252.3 Link to comment Share on other sites More sharing options...
nabz0r Veteran Posted October 3, 2014 Veteran Share Posted October 3, 2014 I had a similar problem at work with 3 too. I didn't want this service to be open for the whole world instead I called them and they didn't gave me the IP's, etc. So I opened for only 3 networks in out F5 and firewalls. Somethingn like 123.456.0.0/12 since this was the range of the phones of our company it worked without problems and it was not open for the whole world to access though it still was open. You can probably do something similar, open for an entire subnet. Give your IT guy the range with the ports and you'd be good. Your IT guy is happy, your ISP who wont give you the destination is happy and you are happy too, problem solved! ;) Link to comment Share on other sites More sharing options...
+BudMan MVC Posted October 3, 2014 MVC Share Posted October 3, 2014 Where were you sniffing - you would have to be at the gateway sniffing to see where it was going. Sniffing on your machine wouldn't show you were some other device was going unless you were on a hub network, or span port, etc. It seems highly unlikely that they not tell you what networks they are on - I would suggest you call back, and say you need the network blocks as well as the ports since your IT guys will not open up those ports to the entire internet. Even though I would assume 80 and 443 already are, and the dns and ntp shouldn't really be a concern.. Link to comment Share on other sites More sharing options...
Zoom7000 Posted October 3, 2014 Author Share Posted October 3, 2014 Looking at my DNS server log, it attempts to connect to emtosegw.three.co.uk - but there have been lookups for emotseg[a-z].three.co.uk over the past month or so. All of these domains seem to resolve to 92.41.252.3 Thanks for that. I will try that address out. Where were you sniffing - you would have to be at the gateway sniffing to see where it was going. Sniffing on your machine wouldn't show you were some other device was going unless you were on a hub network, or span port, etc. It seems highly unlikely that they not tell you what networks they are on - I would suggest you call back, and say you need the network blocks as well as the ports since your IT guys will not open up those ports to the entire internet. Even though I would assume 80 and 443 already are, and the dns and ntp shouldn't really be a concern.. I tried calling several times and speaking to several different people. The only information they would give me is what ports need to be opened. They advised that these ports need to be opened for access to the entire Internet. The destination IP address is not information that they release to customers. :pinch: Do you know of any programs that will allow me to sniff at gateway level? As far as I can see, Wireshark only supports local interfaces. I'll do the sniff at home as I have far fewer devices than at work. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted October 3, 2014 MVC Share Posted October 3, 2014 What is your router? Is it running 3rd party firmware? What switch(es) do you have? If they are smart/managed they should support span ports.. Do you have any old hubs, laying around? Link to comment Share on other sites More sharing options...
Brian M. Veteran Posted October 3, 2014 Veteran Share Posted October 3, 2014 What is your router? Is it running 3rd party firmware? What switch(es) do you have? If they are smart/managed they should support span ports.. Do you have any old hubs, laying around? It's a school network, so I doubt he has access to changing them. It's just a case of saying "I need port xxx open on 111.222.333.444" and having them do it. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted October 3, 2014 MVC Share Posted October 3, 2014 ^ what?? "Do you know of any programs that will allow me to sniff at gateway level?" "I'll do the sniff at home as I have far fewer devices than at work." This is what my comment was direct too.. This has nothing to with allowing any specific traffic. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted October 3, 2014 MVC Share Posted October 3, 2014 Is this three mobile in the UK? You might have all manor of problems with this as they tend to be using Carrier grade NAT. If you want I can try get proper technical contact within Three so you can ask the questions there. You could connect it to another device, Go to something like http://www.whatismyip.com/ Then enter that here.... http://www.nirsoft.net/utils/ipnetinfo.html That will give you the block they assign to the Three Mobile. Then ask your Firewall guys to open up firewalls to that range. Its not the best but it might work. You could then tell the firewall guys to put a log on the firewall rule and see what ports its using and tie it down that way. Or just do a traceroute from Three Network box to your network. See what its route is. Maybe post it here. We could have a good guess ;-) Link to comment Share on other sites More sharing options...
Zoom7000 Posted October 3, 2014 Author Share Posted October 3, 2014 What is your router? Is it running 3rd party firmware? What switch(es) do you have? If they are smart/managed they should support span ports.. Do you have any old hubs, laying around? I don't have any switches at home. My router is a Virgin Media Super hub 2.0. Running stock Virgin Media firmware. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted October 4, 2014 MVC Share Posted October 4, 2014 Well your out of luck then - there is noway to sniff then.. Does your PC have 2 interfaces, you could bridge them and put the device on the other nic and your pc connected to the router lan ports. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted October 4, 2014 MVC Share Posted October 4, 2014 Sorry I completely mis understood what you were asking, However the easiest thing is just go to What is my IP, Get the IP check the IP Block for three. Give the device a IP on your network and open up the firewall from that one IP to the Three IP Block. That would work. It would most likely be load balanced anyway so you have the whole three block covered. Your talking about Femtocells right? http://www.tubblog.co.uk/blog/2013/05/13/using-a-three-home-signal-femtocell-to-improve-a-mobile-phone-signal-2/ Link to comment Share on other sites More sharing options...
+BudMan MVC Posted October 4, 2014 MVC Share Posted October 4, 2014 How is checking whats my IP going to tell him what IP(s) this device is going too?? Does your router show you the state table? If so you could find where the device is going in there.. example If it was me - I would pick up a cheap smart switch that does span ports, return it when done with the sniff ;) Bridge 2 interfaces on your PC, pick up 2nd nic if need be. If your PC has 2 nics -- cheap nics can be had for like $5-10. You could then sniff and know exactly what the device is doing. Once you have the IPs the thing is going to, then you can see who owns them and give your IT guys the netblocks vs the IP.. So lets pick for example that IP on my state table. 162.220.220.76:5938 <- 192.168.1.100:56861 If I do a whois for 162.220.220.76 NetRange: 162.220.220.0 - 162.220.223.255 CIDR: 162.220.220.0/22 NetName: ANEXIA-US I would give the IT guys hey need port 5938 tcp to 162.220.220.0/22 If anyone is curious what that connection is, that is teamviewer. And so and for your other IPs it connects too - they might all be in 1 block, they might be different. The NTP is most likely just uses a pool, which is going to be pretty much impossible to find IPs - because ntp pools change all the time. Pretty much every time you query them. But they could do it the other way around, and vs letting the whole network go to any NTP server on the internet, they could let this devices IP only go to any ntp server. As mentioned - why can your IT guys not help you.. You plug it in at work/school - wherever your wanting to use this. And they should be able to look at the firewall logs and see exactly where the thing tried to go on the internet. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted October 4, 2014 MVC Share Posted October 4, 2014 It routes all the traffic through a Three (Network in the UK) IP address If I am not mistaken. So connect it and check whatismyip on a mobile device. As mentioned - why can your IT guys not help you.. You plug it in at work/school - wherever your wanting to use this. And they should be able to look at the firewall logs and see exactly where the thing tried to go on the internet. ^ This :rolleyes: Link to comment Share on other sites More sharing options...
+BudMan MVC Posted October 4, 2014 MVC Share Posted October 4, 2014 "So connect it and check whatismyip on a mobile device." Doh!!!! ;) Wasn't thinking about the device connected to it, and then going down the tunnel it creates.. But the IP the device uses through the tunnel could be completely different than the IPs used to create the tunnel. But that might work -- could for sure test to see at home this way. Once you have this IP and block it is one, setup your router at home to only allow access to this network. But with the very limited device he has, your shooting in the dark since doubt his current router lets him filter outbound access to specific IPs, etc.?? Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted October 4, 2014 MVC Share Posted October 4, 2014 :laugh: I should have given more detail! Just connect the mobile device to the femtocell, Visit what is my IP that will give you three block. Ask your IT department to tie the firewall down to your femtocell IP on the network and the IP block. That should at least give you a start. With the femto cell you can authorize devices so you mange it from that point of security anyway. Give this to your IT Guys..... inetnum: 188.29.0.0 - 188.29.255.255netname: H3GUK-S3descr: H3GUK Subscribe Block3country: GBadmin-c: HURA1-RIPEtech-c: HURA1-RIPEstatus: ASSIGNED PAmnt-by: H3GUK-MNTchanged: 20110310changed: 20130926changed: 20131028source: RIPErole: H3G UK RIPE Adminaddress: Hutchison 3G UK Ltdaddress: Star Houseaddress: 20 Grenfell Roadaddress: Maidenhead,address: SL6 1EHaddress: United Kingdome-mail: mnt-by: H3GUK-MNTadmin-c: TM7656-RIPEadmin-c: DV3702-RIPEtech-c: TM7656-RIPEtech-c: NA527-RIPEtech-c: GM16969-RIPEabuse-mailbox: nic-hdl: HURa1-RIPEchanged: 20080617changed: 20130514changed: 20081125changed: 20090324changed: 20130220changed: 20130926changed: 20140410source: RIPE% Information related to '188.28.0.0/15AS21327'route: 188.28.0.0/15descr: Aggregate /15 route from 188.28.0.0/14 (H3GUK-S3)origin: AS21327mnt-by: H3GUK-MNTmnt-routes: H3GUK-MNTchanged: 20100409changed: 20110329notify: source: RIPE% Information related to '188.28.0.0/15AS60339'route: 188.28.0.0/15descr: H3G UK IPv4 address spaceorigin: AS60339mnt-by: H3GUK-MNTchanged: 20131022source: RIPE Link to comment Share on other sites More sharing options...
Zoom7000 Posted October 4, 2014 Author Share Posted October 4, 2014 As mentioned - why can your IT guys not help you.. You plug it in at work/school - wherever your wanting to use this. And they should be able to look at the firewall logs and see exactly where the thing tried to go on the internet. At this point I should clarify that I am the IT guy at school! We have a firewall onsite that is controlled directly by the ISP. So I don't have access to the firewall to check any logs. I could maybe ask the ISP to check the logs, I will try that on Monday. I have the new version of the Three Home Signal Box, it's this one here: ChuckFinley: Is 188.28.0.0/15 the correct IP block that I need to unblock the ports on? I've done a whatismyip scan and I get a 92.40.x.x address. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted October 4, 2014 MVC Share Posted October 4, 2014 Well that is the whole inetnum: 92.40.0.0 - 92.40.255.255 netname: H3GUK descr: Mobile Broadband Service country: GB Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted October 10, 2014 MVC Share Posted October 10, 2014 Was out of the country with rubbish Hotel Wifi, Limited access to internet. Beers on Tap etc etc. I have PM'd you. Zoom7000 1 Share Link to comment Share on other sites More sharing options...
tonyjr Posted October 28, 2014 Share Posted October 28, 2014 It uses an IPsec tunnel to 92.41.252.174. You may need to also allow protocol 50 and 51 to be used by the internal IP of the three box. This one usually catches people out with IPsec. So - assign the Three box a Static IP and ask the ISP to allow the following FROM that IP TO 0.0.0.0/0 (or 92.41.252.174/32 if they are picky): UDP/500 UDP/4500 Protocol 50 Protocol 51 TonyJr Zoom7000 1 Share Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted October 28, 2014 MVC Share Posted October 28, 2014 It uses an IPsec tunnel to 92.41.252.174. You may need to also allow protocol 50 and 51 to be used by the internal IP of the three box. This one usually catches people out with IPsec. So - assign the Three box a Static IP and ask the ISP to allow the following FROM that IP TO 0.0.0.0/0 (or 92.41.252.174/32 if they are picky): UDP/500 UDP/4500 Protocol 50 Protocol 51 TonyJr Good answer!! That resolves to 92.41.252.174.sub.mbb.three.co.uk ..... % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to '92.40.0.0 - 92.41.255.255' % Abuse contact for '92.40.0.0 - 92.41.255.255' is 'abuse@three.co.uk' inetnum: 92.40.0.0 - 92.41.255.255 org: ORG-HUL1-RIPE admin-c: HURa1-RIPE netname: UK-H3G-20071121 descr: Hutchison 3G UK Limited country: GB tech-c: HURa1-RIPE status: ALLOCATED PA remarks: ** Please send all queries regarding spams or abuse remarks: ** to abuse@three.co.uk mnt-by: RIPE-NCC-HM-MNT mnt-lower: H3GUK-MNT mnt-routes: H3GUK-MNT changed: hostmaster@ripe.net 20071121 changed: bitbucket@ripe.net 20071128 changed: bitbucket@ripe.net 20071207 changed: bitbucket@ripe.net 20071207 changed: bitbucket@ripe.net 20091015 changed: bit-bucket@ripe.net 20130930 source: RIPE organisation: ORG-HUL1-RIPE org-name: Hutchison 3G UK Limited org-type: LIR address: Hutchison 3G UK Limited address: Star House 20 Grenfell Rd address: SL6 1EH address: Maidenhead address: UNITED KINGDOM phone: +441628765000 fax-no: +441189024031 admin-c: PANO1-RIPE admin-c: HURa1-RIPE admin-c: NA527-RIPE admin-c: JC6695-RIPE admin-c: HURa1-RIPE mnt-ref: H3GUK-MNT mnt-ref: RIPE-NCC-HM-MNT tech-c: HURa1-RIPE mnt-by: RIPE-NCC-HM-MNT abuse-c: HURa1-RIPE source: RIPE e-mail: ripe@thee.co.uk changed: bitbucket@ripe.net 20140415 role: H3G UK RIPE Admin address: Hutchison 3G UK Ltd address: Star House address: 20 Grenfell Road address: Maidenhead, address: SL6 1EH address: United Kingdom e-mail: ripe@three.co.uk mnt-by: H3GUK-MNT admin-c: TM7656-RIPE admin-c: DV3702-RIPE tech-c: TM7656-RIPE tech-c: NA527-RIPE tech-c: GM16969-RIPE abuse-mailbox: abuse@three.co.uk nic-hdl: HURa1-RIPE changed: eddy.young2@three.co.uk 20080617 changed: nikolay.abromov@three.co.uk 20130514 changed: zoltan.gelencser@three.co.uk 20081125 changed: ejaz.ahmad@ericsson.com 20090324 changed: nikolay.abromov@three.co.uk 20130220 changed: george.manousakis@three.co.uk 20130926 changed: nikolay.abromov@three.co.uk 20140410 source: RIPE % Information related to '92.40.0.0/15AS21327' route: 92.40.0.0/15 descr: Aggregate Route origin: AS21327 mnt-by: H3GUK-MNT changed: eddy.young2@three.co.uk 20071121 changed: zoltan.gelencser@three.co.uk 20081125 changed: zoltan.gelencser@three.co.uk 20081211 changed: george.manousakis@three.co.uk 20130926 source: RIPE % Information related to '92.40.0.0/15AS60339' route: 92.40.0.0/15 descr: H3G UK IPv4 address space origin: AS60339 mnt-by: H3GUK-MNT changed: george.manousakis@three.co.uk 20131022 source: RIPE % This query was served by the RIPE Database Query Service version 1.75 (DB-3) Link to comment Share on other sites More sharing options...
tonyjr Posted October 28, 2014 Share Posted October 28, 2014 I have done a packet sniff to the new three home signal box, through a reboot. It will do the usual DHCP, NTP, ping of Gateway and one DNS lookup for beta-recover.ubiquisys.com which returns 212.111.60.5. The device never connects to that address. It does a few multicast group leaves and two joins, then begins the tunnel setup. This is to one many different addresses in the 92.40.0.0/7 range - it appears to change on reboot randomly. I am going to do a factory reset on it and see what extra information I can gather from a sniff on that data. I will have to do that tomorrow though, as I can't get in the loft where the box is at the moment. There is some kind of web interface on port 8082, but it asks for an unknown username and password... Tony Link to comment Share on other sites More sharing options...
Recommended Posts