Ghost in the Machine - be afraid!

madpenguin · 18 September 2011 01:30

And I’m not talking about the Police … (if that reference doesn’t make sense you’re under 40 so just ignore it … )

I’ve been trying to track down a problem with my home LAN for the last few weeks … it’s a little intermittent and I’ve had different results with different routers. Essentially the network works Ok, but then at certain times (generally late at night) connectivity becomes erratic. Moreover, connectivity “to my local router” becomes erratic. i.e. I can see other machines on my network but not the router. Switching to an identical but new router doesn’t solve the problem, but switching to a different make of router does, although the alternate make isn’t a good solution for me.

After a little while I twig that something else on the network is “sometimes” using the same IP address of the router. Impossible obviously, I wouldn’t be so stupid as to have another device with the router’s IP (!)

Nevertheless, arp -na when I can ping the router shows one MAC address, and arp -na when I can’t ping the router shows another.

Something is on my network!

So, I switch off all other devices one by one. They’re all off.

Something is still on my network.

I look at what’s left … I have a “homeplug device” (ethernet over mains) plugged in, but the PC on the other end is turned off. I unplug it.

Network back to normal.

Deduction :: the homeplug was picking up an IP address from outside the building which happened to be the same IP address as my router … I would have to guess from a neighbor … although given it must be bleed through beyond my fuse box and meter, it “could” be from almost anywhere in the local area. Why does the new router not fix the problem, obvious, same default address (192.168.1.254). Why does the alternative make fix the problem, different default IP, 192.168.1.253.

The implications of this are mind-boggling. Lots of people use homeplug devices, partly because they’re so easy to use. One of the reasons they’re so easy to use is that they are plug and go, no security, they rely on the local mains partitioning to separate out properties so the homeplug can’t talk outside the property. This feature clearly doesn’t work, we’re back to the good’ol days when nobody used any security on their WiFi !!

Anyone out there using homeplug devices? Beware, you might find your neighbor is reading your mail!

Mark_Greaves_PCNetSp · 18 September 2011 02:59

As far as I’m aware, and from a quick look at the homeplug white papers… (non-wireless) homeplugs don’t have IP addresses, so AFAIK it’s unlikely it’s getting an IP from your (or anyone else’s) router/DHCP server.

Maybe you’ll prove me wrong, but if they had IP addresses (even just for encryption/password configuration) then it could be available in any OS via a web interface… yet they tend to be Windows only applications that can access the interface to turn on encryption.

They seem to use some other command and control magic trickery on the MAC layer for negotiation and communication with each other without major packet collision.

If unplugging your homeplug solves the problem, I (like you) can only assume it’s the homeplug that is at fault, but I’m not (until you prove me wrong, and you probably will ) totally convinced it’s because of an IP address conflict.

Maybe the MAC magic they perform is somehow screwing with the MAC addresses arp (and therefore the rest of the network) is seeing ?

Is the issue resolved by changing the original routers IP to 192.168.1.253 ?

References:
https://www.homeplug.org/tech/whitepapers/
and

and
http://www.yitran.com/Common/FilesBinaryWrite.aspx?id=647

Though it IS indeed known that powerline communications CAN “bleed” past the electricity meter (so people should be aware of this, particularly if not using Windows where you may be able to turn on encryption and change the homeplugs default password via the included software)… some newer powerline adapters are attempting to overcome this by having a button on them to “pair” them using a common encyption key.

BkS · 18 September 2011 18:38

I haven’t gotten my homeplugs yet, but I’m definitely going to be getting some. My house (before I moved into it a couple of months ago), wasn’t that long ago redone. I’m pretty sure the wiring has been redone, although don’t hold me to that. However I’m not convinced it’s a IP issue as well, it could be, but maybe someone’s trying to get into your network? I’m pretty sure you’ll prove me and mark wrong haha, but I’m convinced it’s perhaps jsut a faulty homeplug.

Mark_Greaves_PCNetSp · 18 September 2011 19:50

I think his point was that considering he doesn’t use wireless, there would be NO other way for someone else to gain access to his network except maybe the homeplug.

Without encryption enabled (and with most homeplugs this is impossible unless you are running Windows) there is always going to be a slight risk of “bleed”, so there’s a small risk that a neighbor (with a compatible homeplug) could have access to your network.

Granted, it’s a small risk, but one that people should be aware of.

madpenguin · 19 September 2011 00:30

Ok, it is true that homeplugs have no IP addresses, I think maybe I was skimming over some detail …

Homeplugs work by bridging locations … so effectively two homeplugs, in two separate locations, each plugged into a three-pin socket, behave as if they were a (long) physical Cat-5 extension cable.

So, in context, that would be like me stringing a cable from my LAN to the guy next door’s LAN.

As the guy next door has a router on the same address as my router, I have two devices on my LAN with the same IP, one via cable, the other via homeplug.

Each device will respond to an ARP “who has” request, so on balance your local ARP table will have an entry for the IP address of your router, but the MAC address associated with that IP entry will alternate between your device, and the device next door, depending on which router last issued an “I have” ARP response. When the ARP entry matches the MAC address of your router, packets will go to your router and all will be honky dory. When the ARP entry matches the router next door, it sort of depends on how the router next door is configured. In theory (!) if the router is “happy”, this just means that half your traffic will go in/out of your ADSL, and half through next door’s, although I’d sort of expect a “blip” on every changeover. If on the other hand next door unplugs his phone line, only half your traffic will get through. (my problem)

So I wonder how many homeplug users are actually using twice as much bandwidth as their ISP or local router tells them they are … (!)

If this ARP stuff sounds a bit foreign, it’s worth knowing, there are many LAN problems you’ll never solve without understanding it …

Mark_Greaves_PCNetSp · 19 September 2011 00:47

Ahh, it makes more sense to me now… I thought you were saying the homeplug was somehow being given the same IP as your router by your neighbours DHCP server.

That’s why I was a little baffled by (what I thought was) your interpretation of the arp output… I thought you were looking at the IP/MAC (when it changed) as being those of the homeplug.

My mistake, oddly enough I had a feeling it was something I was getting wrong :

BkS · 19 September 2011 15:58

ARP… stuff I should know? Got a link MP, I’m interested

Mark_Greaves_PCNetSp · 19 September 2011 16:01

See:

man arp

madpenguin · 20 September 2011 13:26

… ARP == Address Resolution Protocol