I have a software firewall on trial. One penetration attempt the program
consistently blocks is from IP 192.168.0.105. This attempt is incessant and for
the moment I’ve turned off the reports. However, if it’s a legitimate probe, I
need to let it through. Our router IP is 192.168.0.101, so that’s close to the
“culprit”. So, how do I determine whence cometh the IP address the firewall
One of the common annoyances with software firewalls is exactly this: that
you may get repeated notification of access attempts, with no real sense of
where they’re really coming from, and whether or not they’re legitimate.
In this case, I can’t really say whether it’s legitimate.
But I can say that the IP address is closer than you think.
Become a Patron of Ask Leo! and go ad-free!
The IP address range 192.168.x.x is never seen on the internet. By
definition that range and a couple of others are reserved specifically for
local area networks.
Your router’s internet-facing connection has a real internet address. But
the inward-facing connection on which your computer and perhaps others are
connected will have an IP address like you’ve seen: 192.168.0.101 is one common
default configuration for routers.
The router also assigns the IP addresses for the machines on your local
network from that same range. It then also takes care of translating between
the “real” internet IP address and the local network IP addresses as data flows
to and from the internet.
internet. By definition that range … [is] reserved specifically for local area
What that implies is that 192.168.0.105 is a machine on your local
So the next step is pretty easy: check the IP addresses assigned to the
machines on your network and you’ll quickly find out which machine is the
culprit. My favorite way to get the IP address is to open a Windows Command
Shell and type in “ipconfig” followed by Enter;
you should get something much like this:
Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1
Here you can see my router is assigning from the “192.168.1.*” range, but
it’s the “192.168” part that shows that I’m behind a router performing this
network address translation or “NAT”.
Now, there’s a interesting scenario you might run into and that’s this: you
might find that the IP address is that of the very machine you have your
firewall installed on. There are a couple of reasons that might be:
What you’re seeing could be a warning relating to an outgoing
connection attempt. Your machine is attempting to connect to some remote
machine in a way that your firewall has been configured to block. Without
knowing more about the connection attempt details it’s almost impossible to say
whether this is good or bad.
Sometimes software will attempt to “connect to itself” using the network –
so even though my machine might be at IP 192.168.1.2, it’s possible that
software running on that machine might try to make an outbound connection to
… 192.168.1.2, which is, of course, itself. That’s totally valid, but it might
be seen as either an incoming or outgoing connection attempt that your firewall doesn’t like.
Regardless of the reasons, and be it from your own machine or another
machine on your local network, understanding the alert is the first step.
Hopefully the firewall will include additional information like the “port” the attempt is
being made on, which will often tell you what it’s trying to do. For outgoing
alerts, the firewall should also be able to tell you what software or service
on your machine is requesting the connection. If the firewall’s not giving
you that information in the alert, then check any logs that the firewall might be
Using that information you can make a call as to whether or not the alert is
legitimate. If it’s not, if it’s just an annoyance, then it’s time to
reconfigure the software firewall to stop bugging you about it.
And if it’s not legitimate, then of course, you’ll want to address the