Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Is My Firewall Software Alerting Me to a Connection Attempt from an Address like 192.168.1.1?

Question:

I have a software firewall on trial. One penetration attempt the program
consistently blocks is from IP 192.168.0.105. This attempt is incessant and for
the moment I’ve turned off the reports. However, if it’s a legitimate probe, I
need to let it through. Our router IP is 192.168.0.101, so that’s close to the
“culprit”. So, how do I determine whence cometh the IP address the firewall
doesn’t like?

One of the common annoyances with software firewalls is exactly this: that
you may get repeated notification of access attempts, with no real sense of
where they’re really coming from, and whether or not they’re legitimate.

In this case, I can’t really say whether it’s legitimate.

But I can say that the IP address is closer than you think.

Become a Patron of Ask Leo! and go ad-free!

The IP address range 192.168.x.x is never seen on the internet. By
definition that range and a couple of others are reserved specifically for
local area networks.

Your router’s internet-facing connection has a real internet address. But
the inward-facing connection on which your computer and perhaps others are
connected will have an IP address like you’ve seen: 192.168.0.101 is one common
default configuration for routers.

The router also assigns the IP addresses for the machines on your local
network from that same range. It then also takes care of translating between
the “real” internet IP address and the local network IP addresses as data flows
to and from the internet.

“The IP address range 192.168.x.x is never seen on the
internet. By definition that range … [is] reserved specifically for local area
networks.”

What that implies is that 192.168.0.105 is a machine on your local
network
.

So the next step is pretty easy: check the IP addresses assigned to the
machines on your network and you’ll quickly find out which machine is the
culprit. My favorite way to get the IP address is to open a Windows Command
Shell and type in “ipconfig” followed by Enter;
you should get something much like this:

Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

Here you can see my router is assigning from the “192.168.1.*” range, but
it’s the “192.168” part that shows that I’m behind a router performing this
network address translation or “NAT”.

Now, there’s a interesting scenario you might run into and that’s this: you
might find that the IP address is that of the very machine you have your
firewall installed on. There are a couple of reasons that might be:

  • What you’re seeing could be a warning relating to an outgoing
    connection attempt. Your machine is attempting to connect to some remote
    machine in a way that your firewall has been configured to block. Without
    knowing more about the connection attempt details it’s almost impossible to say
    whether this is good or bad.
  • Sometimes software will attempt to “connect to itself” using the network –
    so even though my machine might be at IP 192.168.1.2, it’s possible that
    software running on that machine might try to make an outbound connection to
    … 192.168.1.2, which is, of course, itself. That’s totally valid, but it might
    be seen as either an incoming or outgoing connection attempt that your firewall doesn’t like.

Regardless of the reasons, and be it from your own machine or another
machine on your local network, understanding the alert is the first step.
Hopefully the firewall will include additional information like the “port” the attempt is
being made on, which will often tell you what it’s trying to do. For outgoing
alerts, the firewall should also be able to tell you what software or service
on your machine is requesting the connection. If the firewall’s not giving
you that information in the alert, then check any logs that the firewall might be
creating.

Using that information you can make a call as to whether or not the alert is
legitimate. If it’s not, if it’s just an annoyance, then it’s time to
reconfigure the software firewall to stop bugging you about it.

And if it’s not legitimate, then of course, you’ll want to address the
underlying cause.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

7 comments on “Why Is My Firewall Software Alerting Me to a Connection Attempt from an Address like 192.168.1.1?”

  1. If you have a wireless connection it’s possible that someone else has hacked into your network and is trying to break into your computer.
    I thought I should mention it because it happened to me once…

    Reply
  2. One more point – It could be a hacker connected to your LAN through your router’s WiFi connection. Is your router’s wifi security enabled? Is it WEP – which is easily broken? If your LAN does not have a PC with IP .105, this could be the case.

    Quickly enable WPA security on your router. If that is not possible, change your router to one that gives this level of security. Another protection is to enable MAC filtering on your router to allow only those devices whose MAC is known to you and you have configured it on your router.

    If you are not using WiFi, just disable radio on your router.

    Reply
  3. Uhm, Rahul, that is what I meant with my first post ;-)
    I probably wasn’t clear enough, sorry.
    Anyway, forget mac filtering too, it isn’t secure either, trust me…

    Reply
  4. Actually, since I was the author of the query to Leo about this issue, I thought it might be helpful to announce that Leo is (as is almost always the case) dead on in his remote analysis. The IP address at issue does, in fact, belong to a member of our LAN; namely. our Dandy Dell Laptop. However, I for one, at least, appreciate the additional comments provided above in re WIFi et al!

    Reply
  5. If someone is using your wifi connection, he/she will be on your LAN with appropriate IP fro myour LAN’s DHCP. An exterme measure I would like to mention would be to close down DHCP and take complete charge of assigning fixed IP to equipment on LAN. However this gets to complicated for anything but a trivially small LAN – e.g. home network would be ideal candidate. I use this for my home network along with other safeguards. Only issue I have faced till now is to add a friend’s laptop when he/she visits but that is trivial. I assign another IP when I permit the MAC on the network. Oh and one more thing, if a friend does not want me to mess with his/her computer for IP assignment, no connection for that PC.

    Reply
  6. OK HERE GOES I HEARD ALOT OF DONGING GOING ON IN THE LIVING ROOM AND CAME INTO MY COMP. ROOM TO SEE YAHOO PAGE BEING ACCESSED REPEATEDLY AND THE HTTP AREA WAS SAYING VIEWATDMT.COM IFR/VIEW/ AND AN EIGHT DIGIT NUMBER/DIRECT.
    WAS THIS SOMEONE TRYING TO ACCESS MY COMP.?
    I KNOW SOMEONE WHO IS A ROCKET SCIENTEST WHO IS OBSESSED WITH ME AND KNOWS MY BACK DOOR INFO.WHEN HE TRIED TO FIX MY COMP. ONCE. CAN HE BE WATCHING MY EVERY MOVE I MAKE ON MY COMP.? HE IS CREEP TOO

    All sorts of things are possible. Sounds like you need to get your computer checked out by someone knowledgable that you trust.

    – Leo
    03-Dec-2008
    Reply
  7. Thanks a lot for the advice, i really had to laugh when you explained this.I could not believe it was own machine.I now have reconfigured my firewall to ignore this rule.
    “Eset smart security was the real culprit though”

    Thank you so much for the help, it saved me a lot of worries.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.