I have a cable modem to comcast, going into a Linksys E2000 router, which I have flashed with Tomato Firmware v1.28.7493 MIPSR2-Toastman-RT K26 Std. That was about a week ago, and so far things seem to be working well. I have assigned a few static DHCP entries and a few are still fully automatic, and I can identify each and every client on my LAN, where all clients have IPs in the 192.168.1.* range. But there is one exception: When I look in the QoS transfer rates section, I often see connections FROM 192.168.1.136 to weird external IPs, like channel-jw-13-01-snc7.tfbnw(dot)net (22.214.171.124). Traffic involving 192.168.1.136 seems to be fairly low in volume: IP traffic monitoring has counted about 100KB downloaded per day, and nothing uploaded from 192.168.1.136. A lot of the traffic is for port 443, which I think means https (?).
TCP from 192.168.1.136:4469 to channel-jw-13-01-snc7.tfbnw(dot)net (126.96.36.199:443), rate 0.0
TCP from 192.168.1.136:1110 to channel-jw-13-01-snc7.tfbnw(dot)net (188.8.131.52:443), rate 0.0
This really bugs me, because no HW (MAC) address is associated with this IP. If I run arp in the Tomato command window, it lists a MAC for every other IP, but for 192.168.1.136 it says <incomplete>:
? (192.168.1.136) at <incomplete> on br0
Can someone please explain to me what's going on? Is this unsolicited incoming traffic from the WAN which is directed at a computer on my LAN which formerly had this IP, but which currently has a different IP? Or does this mean there is some trojan or rootkit on one of my PCs?
I have tried to drop inactive connections, that usually removes the 192.168.1.136 entries, but not for long - they eventually reappear after a few minutes. Sometimes there is a burst of activity with lots of connections "from" 192.168.1.136, but oftentimes it is just one or two to thefacebooknetwork. I also tried to reset the router, but the stuff still comes back.
What can I do? I was thinking of trying to add TCPdump to tomato, or of inserting a mirroring switch and Wireshark between my E2000 and the cable modem, but maybe someone can explain to me what's going on instead … ?
P.S. I would be happy to attach some images of Tomato, but the forum won't let me do this (yet).