0
Tracing route to wikipedia.org [91.198.174.192]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     1 ms    <1 ms    <1 ms  192.168.55.1
  3     4 ms     1 ms    <1 ms  192.168.11.1

Here are the first lines of tracert wikipedia.org command. The first entry is the ip of my home router which does not surprise me, but what are the other 2? Are they ip addresses of routers that my internet provider has set up somewhere near me to be able to connect me and others (neighbours) to his servers? Or is it still my router with different interfaces?

If someone could explain this, I would be grateful. Thanks.

Fernando
  • 3
  • 1
  • 2
    Assuming your home router is connected to your ISPs equipment, your ISP uses an internal network between you and your public gateway. you are seeing their internal network. Tracert follows the network path, it won't fan out to unrelated neighbors like unrelated interface on your router or other subscribers to your ISP, or other ISP routers that are not on the path between you and your public gateway. The routers between you and your public gateway know the route and will send your traffic along it, so your traffic does in fact pass through those hops. – Frank Thomas Feb 25 '21 at 23:15
  • 1
    Also note, the interface receiving the traceroute signal will send the ICMP TTL Exceeded message that tracert uses. Interfaces that send that traffic on (on the other side of the router) will not send the message, because the TTL will not be decremented until its received on the next router interface. – Frank Thomas Feb 25 '21 at 23:22
  • Thanks for your answer @FrankThomas, everything that you wrote here seems about right and makes perfect sense, but there is still one thing that I find weird about this. If I try to scan all ports on the address range of 192.168.55.1-254, it finds and IP with open http port and when I open it in my browser, it shows the login page to my router. With provided credentials, I can log in without any problems. So the IP from the second of that tracert log still belongs to my home router. That's why I thought it might be a second interface or something. – Fernando Feb 25 '21 at 23:49
  • On the other hand I cannot tell the same about the third IP, as it also has an ip with open http port, but when I visit that website its just a popup login window that asks for user/password. Any of my used nor default credentials work. So is it possible that this is ISP's router? – Fernando Feb 25 '21 at 23:49
  • @Fernando: But the port scan doesn't give you `192.168.55.1`, does it? It'll give you some _other_ `192.168.55.x` address, right? – u1686_grawity Feb 26 '21 at 09:10
  • @user1686 Yes, exactly. – Fernando Feb 26 '21 at 17:30
  • @Fernando: Then your conclusion only applies to that _other_ address, not to the .1 one, as well. – u1686_grawity Feb 26 '21 at 17:34

2 Answers2

1

Are they ip addresses of routers that my internet provider has set up somewhere near me to be able to connect me and others (neighbours) to his servers?

1. Yes, they're IP addresses of routers. All hops in traceroute (except the very last one) are routers.

2. A private IP address does not mean it's a local address near you. It only means it's still within your ISP's boundaries (and even then, not always) – but it could be literally anywhere physically, and it could belong to any kind of device – even your ISP's biggest core routers could still have a 192.168.x.y address.

Or is it still my router with different interfaces?

No, a router always produces only one traceroute reply. The entire routing device, not the individual interface, is what counts as a "hop".

If I try to scan all ports on the address range of 192.168.55.1-254, it finds an IP with open http port and when I open it in my browser, it shows the login page to my router. With provided credentials, I can log in without any problems. So the IP from the second of that tracert log still belongs to my home router.

Yes, the 192.168.55.x address that you've found with Nmap indeed belongs to one of router's interfaces. But that's not the same address as the one that shows up in traceroute!

The actual 192.168.55.1 address you see in traceroute is the ISP's router that is connected to your router's WAN interface.

Diagraaaaaam

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Thanks you for your great explanation, it all makes sense now. :) – Fernando Feb 26 '21 at 20:37
  • nice diagram! clean and colorful. – Frank Thomas Feb 26 '21 at 23:17
  • A private IP address does not even mean it's still with an ISP (AS). Intermediate routes can return pretty much anything they want, and private IPs are very common for intranet routing. It's their routing table that governs so crossing one router in a traceroute doesn't necessarily mean the same router will be reached in the same route when the destination changes. – iBug May 10 '21 at 03:51
0

Ok, Let me re-try. The first ip address is yours. The second is most likely your service provider. The third is most likely wikipedia's sever address.

Ethan O'Brien
  • 321
  • 2
  • 15