4

I know that the IP addresses in range 192.168.0.0 - 192.168.255.255 are reserved and to be used for private network.

My system IP is in 10...* range (private). It is connected to our corporate Intranet and it further connects to the Internet through a proxy. When I try to check my IP (by accessing http://whatismyip.org/ for example), it shows the IP as 192.168.x.x (i.e. in private range). How can this be possible?

Is it acceptable to use the IPs in the private range as a public IP? Does it mean that there is no NAT happening before the requests leave our internal network?

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151
cdoe
  • 143
  • 1
  • 3
  • 3
    It looks like whatismyip may be messing up your public ip address. The private ip addresses are not routeable on the public internet. – Milhous Aug 21 '09 at 13:56
  • I checked with some other sites as well (http://dynamic.zoneedit.com/checkip.html), and the result it same! :-/ –  Aug 21 '09 at 14:10
  • Correct me if I'm wrong, but the wording of this question makes it sound like another homework one... – Maximus Minimus Aug 22 '09 at 22:24

5 Answers5

6

Any IP can be routed. But a network admin or an ISP that's worth their salt will block the egress/ingress of packets sourced from or destined for those addresses at the edge of their network.

There is no good that can come of allowing that traffic in or out of your network. Apply:

Extended IP access list 111
    10 deny ip 127.0.0.0 0.255.255.255 any
    20 deny ip 224.0.0.0 31.255.255.255 any
    30 deny ip 10.0.0.0 0.255.255.255 any
    40 deny ip 172.16.0.0 0.15.255.255 any
    50 deny ip 192.168.0.0 0.0.255.255 any

to the outbound interface of your edge router. Reverse for the inbound.

Greeblesnort
  • 1,759
  • 8
  • 10
  • 3
    There are some global resources available on multicast, so you may want to adjust the 224 range to allow for those services. – chris Aug 21 '09 at 15:00
  • Oh, and you probably would want to add the zero config / local-link addresses of 169.254.0.0/16 to the list of addresses that shouldn't be seen on your wan port... – chris Aug 21 '09 at 18:40
  • heh, I'd hate to see the network configuration that would allow the 169.254/16 addresses into the network =) – Greeblesnort Aug 23 '09 at 01:41
2

Private IPs cannot be routed on the Internet. Some proxies though will include your private IP as an HTTP header when connecting to public sites. It's then possible for those public sites to display your private IP address. Whether whatismyip.com is doing this, I do not know.

If a gateway router receives a packet destined for a private IP address it will just drop the packet, because there's nothing it can do.

Kevin Kuphal
  • 9,134
  • 1
  • 35
  • 41
CalebD
  • 129
  • 2
  • Usually the header is X-Forwarded-For. http://en.wikipedia.org/wiki/X-Forwarded-For –  Aug 21 '09 at 14:06
  • FWIW, serverfault does this too, if you check your user page you can see an internal IP, assuming you are behind an HTTP proxy. – ThatGraemeGuy Aug 21 '09 at 14:43
  • 1
    "Public IPs cannot be routed on the Internet", don't you mean "Private"? Besides, they _can_ be routed and are routed by some ISPs. But a best practice is to drop any private addressed packages in Internet routing, and most do. – Andrioid Aug 21 '09 at 14:46
  • This is really not true -- there is no difference between 192.168.123.123 and 12.19.30.123 as far as the internet is concerned. The RFC1918 space is simply a convention that everyone agrees to, so we drop traffic from the "public" interfaces of our routers that has a destination of 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16. Instead of "can't" it is "don't" – chris Aug 21 '09 at 14:56
2

You probably don't connect directly to whatismyip.com but via a firewall or proxy. In that case, whatismyip should display the IP of said proxy. Maybe they are smart and examine the HTTP header which might still contain your private IP.

Or whatismyip.com is so close (from your ISPs point if view) that the private address range does in fact resolve. ISP usually don't filter private address ranges; they rely on the fact that replies won't make it back home (since the routers on the way have no idea to know where to send the package). But some network components are "smart" and remember "hey, that address range always comes from there" and try to send packets back.

Also, someone within the company could have created a local copy for http://whatismyip.org/ which resolved addresses internally.

Aaron Digulla
  • 974
  • 3
  • 15
  • 25
  • I just tested it and the IP address on Whatismyip.org is not your X-Forwarded-For, it is indeed your public IP address. If I go to Whatismyip.COM it shows my Public IP address and below it mentions a possible proxy, which is actually my X-Forwarded-For address. – Brett G Aug 21 '09 at 15:06
1

Martian Packets

What you see are probably martian packets which might arise from network equipment malfunction or misconfiguration. If you listen on the WAN interface of your border router with a packet sniffer like tcpdump you might watch those packets directly.

esc1729
  • 305
  • 2
  • 16
0

I haven't heard about whatismyip.org, i've always used whatismyip.com (note the TLD). curiously, the '.org' one gives my local number, while the '.com' one gives the external IP.

Javier
  • 9,268
  • 2
  • 24
  • 24