Why is tracert showing a private IP address right after my router, even though it has a public IP?

Here is a log of tracert superuser.com from my computer:

Tracing route to superuser.com [198.252.206.16]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  192.168.1.1 
  2    11 ms    17 ms     9 ms  10.216.128.1 
  3    12 ms    17 ms    14 ms  89-75-22-81.infra.chello.pl [89.75.22.81] 
  4    23 ms    17 ms    17 ms  84.116.192.102 
  5    18 ms    18 ms    15 ms  pl-krk01a-rd4-ae0-2183.aorta.net [84.116.253.70] 
  6    20 ms    16 ms    15 ms  pl-waw04a-rd1-ae12-2158.aorta.net [84.116.252.225] 
  7    15 ms    15 ms    15 ms  84.116.135.225 
  8    17 ms    19 ms    24 ms  henet.plix.pl [195.182.218.197] 
  9    34 ms    44 ms    49 ms  10ge1-2.core1.prg1.he.net [184.105.213.241] 
 10    33 ms    44 ms    34 ms  10ge15-3.core1.fra1.he.net [184.105.213.233] 
 11    45 ms    51 ms    48 ms  100ge5-2.core1.par2.he.net [72.52.92.13] 
 12   161 ms   163 ms   156 ms  10ge15-1.core1.ash1.he.net [184.105.213.93] 
 13   131 ms   124 ms   124 ms  100ge7-1.core1.nyc4.he.net [184.105.223.166] 
 14   121 ms   121 ms   121 ms  10ge4-1.core1.nyc5.he.net [184.105.213.218] 
 15   122 ms   120 ms   121 ms  lightower-fiber-networks.10gigabitethernet3-2.core1.nyc5.he.net [216.66.50.106] 
 16   122 ms   123 ms   121 ms  ae12.nycmnyzrj91.lightower.net [64.72.64.110] 
 17   122 ms   120 ms   122 ms  ae2-jrcynj67j41.lightower.net [72.22.160.175] 
 18   123 ms   123 ms   122 ms  69.46.229.98.lightower.net [69.46.229.98] 
 19   124 ms   123 ms   123 ms  stackoverflow.com [198.252.206.16] 

Trace complete.

The first entry (192.168.1.1) is my router, which does not surprise me. What is weird is the second entry, 10.216.128.1, which shows even when doing the traceroute from my router or when the computer is directly connected to the internet. My router has a public IP — is my ISP violating the IP standard? Would such configuration prevent me from using the 10.216.128.x range in my own network?

There is a diagram in an answer to a related question which does not really answer mine — my router knows nothing of the 10.216.128.x network, and the hop shows even when tracerting another hosts on its subnet, which the router should theoretically be able to contact directly:

Tracing route to 89-66-132-2.dynamic.chello.pl [89.66.132.2]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  192.168.1.1 
  2    27 ms    11 ms    10 ms  10.216.128.1 
  3    18 ms    21 ms    18 ms  89-66-132-2.dynamic.chello.pl [89.66.132.2] 

Trace complete.

What is funny is that this private IP does not show up when tracerting the gateway:

Tracing route to 89-66-132-1.dynamic.chello.pl [89.66.132.1]
over a maximum of 30 hops:

  1     3 ms     2 ms     2 ms  192.168.1.1 
  2    10 ms    11 ms    11 ms  89-66-132-1.dynamic.chello.pl [89.66.132.1] 

Trace complete.

while tracerting an address which is not even in the same network it shows up again, while the gateway seemingly disappears:

Tracing route to 89-69-109-1.dynamic.chello.pl [89.69.109.1]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  192.168.1.1 
  2    12 ms    14 ms    12 ms  10.216.128.1 
  3    16 ms    15 ms    21 ms  89-69-109-1.dynamic.chello.pl [89.69.109.1] 

Trace complete.

kinokijuf

Posted 2014-07-07T10:09:32.293

Reputation: 7 734

possible duplicate of private address in traceroute results

– kinokijuf – 2014-07-07T10:34:38.950

You say you have a public IP. When you do ipconfig on your computer does it show a public IP? Is your "router" set to "bridge mode"(that might be a requirement for having a public IP) – barlop – 2014-07-07T10:42:49.367

@barlop i have a public IP on my router, not my computer. – kinokijuf – 2014-07-07T10:43:13.270

Perhaps you should reword your title to Why do I have a private IP directly after router, in tracert results? That makes it a different question to http://superuser.com/questions/611736/private-address-in-traceroute-results There is a diagram in the answer to that question but it doesn't really answer yours.

– barlop – 2014-07-07T10:51:27.463

Can you http to 10.216.128.1 ? – barlop – 2014-07-07T10:54:48.687

@barlop no, nothing — not even ping or tracert it. – kinokijuf – 2014-07-07T11:00:27.057

OR, you could word it as "how can I be going straight from my private IP, to my ISP's private IP?" Your question as it is, looks like a duplicate but isn't really. And because of that - looking like a duplicate, it has 2 votes to close it. You could also point to that quesiton and say it's not the same 'cos your one has a private IP directly after, so for example, the diagram in the answer to that question doesn't seem to apply to you. – barlop – 2014-07-07T11:01:32.373

There is absolutely nothing stopping there being an interim private network between the internet and a public IP. It is just being routed across a privately addressed segment. – Paul – 2014-07-07T11:04:17.447

@Paul yes, i already know it, but router should be able to access 89.66.132.x directly according to the netmask – kinokijuf – 2014-07-07T11:05:30.863

What evidence do you have that your router has a public IP assigned to it? – David Schwartz – 2014-07-07T11:05:56.890

@DavidSchwartz Try to RDP into 89.66.132.177 ;) – kinokijuf – 2014-07-07T11:13:56.503

@kinokijuf That proves that traffic to that IP address reaches your router, but it doesn't prove that that IP address is assigned to your router. It could be assigned to a device ahead of your router. (Compare a forward traceroute from your network with a traceroute to your network from the outside.) – David Schwartz – 2014-07-07T11:15:36.763

@DavidSchwartz um, my router reports it as its IP address… – kinokijuf – 2014-07-07T11:17:08.217

@DavidSchwartz ok, now try to tracert to me and report whether you see anything weird – kinokijuf – 2014-07-07T11:17:58.413

@DavidSchwartz I suppose his router interface and www.whatismyip.com report 89.66.132.177 as his public IP since one can RDP. It's clearly his isn't it - and port forwarding he must have set up. Unless perhaps you think all the devices between him and that are private.. But then.. wouldn't that be the ISP using a private IP, over a WAN? Aren't Private IPs only meant to be used on LANs.. WANS are I suppose (at least in this case), internet infrastructure? – barlop – 2014-07-07T12:23:51.697

@DavidSchwartz If one accepts what appears to be your suggestion that his router's public IP might not be that 89 address. If his router is R1 and his WAN side IP is 10.x.y.1 there's a cable from that to his ISP's R1 at interface i1 I guess you think that's also a 10.x.y.1 address. But can an ISP use a private IP on a WAN? – barlop – 2014-07-07T12:38:17.070

@kinokijuf Here are the results of a tracert to your IP The last IPs to you are- 84.116.192.101, 89.75.22.82, , 89.66.132.177. So, no private IPs there. Maybe you have a very funny router and it affects traffic going out. Try another router and you may find the 10 address goes. – barlop – 2014-07-07T12:39:30.353

@barlop Yes, they can. This is not particularly uncommon. One annoying side-effect is that ICMP errors may have a private source address (as seen here). Cisco addressed this by giving you a specific command to set the source address of ICMP errors, but not everyone uses it or uses devices that support it. – David Schwartz – 2014-07-07T12:43:25.317

@DavidSchwartz When they do it, using a private IP publicly, is it not abiding by / is it breaking, RFCs/TCP/IP guidelines/rules? (Note, I still think it may just be a funny router he has(and should try with another router) 'cos tracert to him showed no privates) – barlop – 2014-07-07T12:47:32.680

@barlop They don't use it publicly -- only to their own customers. His link to his ISP is part of his ISP's network. It's perfectly fine to use local address space with your own customers. (And many ISPs do so.) – David Schwartz – 2014-07-07T12:49:39.130

Answers

The line 89-75-22-81.infra.chello.pl at the top of the traceroute suggests you are using a cable connection. Chello is a brand formerly used by UPC, a cable internet service provider. The appearance of an IP address in a private range immediately after your local network is normal for cable connections.

The address 10.216.128.1 belongs to a cable modem termination system (CMTS). It is sometimes referred to as a Universal Broadband Router (uBR), though I believe that is exclusively a Cisco term. Its function is roughly equivalent to that of your cable modem. Only part of your internet connection runs via the coaxial cable between you and your ISP. At home, your cable modem translates between coax interfaces on one side and ethernet interfaces on the other. In the same way, your provider hooks up the coax cables to the rest of their infrastructure via a CMTS. The main difference between the two pieces of equipment is that a single CMTS often serves thousands of cable modems. Even the tiny Cisco uBR7100 below can handle up to 2000 clients.

uBR7100

The subscriber side of a CMTS is basically a dead end in the infrastructure and does not need to be available to anyone but the subscribers. It is therefore very practical for it to have an IP address in a private range, which is what you're seeing by executing a traceroute from your machine. This again is equivalent to your modem/router at home, which will have both a private and a public address. The private one appears on your traceroute: 192.168.1.1.

A trace to your address does not show 192.168.1.1 at the end, even though in both cases it is the same device responding.

15    40 ms    39 ms    39 ms  84.116.192.101
16    37 ms    37 ms    39 ms  89-75-22-82.infra.chello.pl [89.75.22.82]
17    45 ms    48 ms    45 ms  89-66-132-177.dynamic.chello.pl [89.66.132.177]

Trace complete.

Based on these traces, I've drafted the diagram below to visualise the network.

Network diagram Click to enlarge.

For the purpose of explaining the nuts and bolts of your connection to the internet, it is unfortunate that the CMTS does not decrease the packet's time to live in both directions (when the TTL runs out, hosts return an error message to the source, which is how traceroute compiles its list). This is not uncommon; like ordinary network switches, CMTSs operate on layer 2 of the OSI model, but not all CMTSs are configured this way. For example, a trace to me would list the following as the last hop before the destination (note the descriptive 'ubr' in the hostname):

213.51.138.75    emn-rc0001-ubr014-te3-0-0-202.core.as9143.net

Network-tools.com has a useful tool for executing a trace to yourself from elsewhere on the internet.

I've never actually worked with these kinds of systems, so my understanding of the subject is quite limited. Nevertheless, I hope I've been able to shed some light on why a private range IP address appears in your traces and what its purpose is.

Marcks Thomas

Posted 2014-07-07T10:09:32.293

Reputation: 5 749

1@kinokijuf Did you read his answer? That's exactly what he says: "This again is equivalent to your modem/router at home, which will have both a private and a public address. The private one appears on your traceroute: '192.168.1.1'." Just as your device has a private address to "downstream" devices and a public address to "upstream" devices, so does the device upstream from it. – David Schwartz – 2014-07-07T13:12:52.550

It sounds like you know what you're talking about but due to the complexity, it is still a bit unclear as can be seen by the OP's comment to your answer. Perhpas you can include a diagram, such as the one used in the answer to this question http://superuser.com/questions/611736/private-address-in-traceroute-results i.e. showing each Router, and the IP on each interface of each router. Of course, in that question he didn't have 2 private IPs one after the other. And that's where a diagram showing what is happening would be useful.

– barlop – 2014-07-07T13:39:36.503

e.g. appearances aside. What is the (I won't say public IP in case it isn't) What is the WAN IP, of his router and is it on the same subnet as the 10/8 address that comes next in the traceroute. A diagram would be very helpful in clarifying what is happening. AFAIK you can't have a connection with an IP on one subnet at one end, and an IP on a different subnet on another end and no router in between. So connecting a 192 to a 10 or an 86 to a 10 sounds funny. – barlop – 2014-07-07T13:41:41.430

1@barlop: That's a good note, I'll get to work on that in a moment. Thanks. – Marcks Thomas – 2014-07-07T13:45:00.143

1Your diagram is wrong. I have determined that 89.75.22.82 is likely the WAN side of the CMTS, and 84.116.192.101 is the WAN side of the router whose subscriber side is 89.75.22.81. – kinokijuf – 2014-07-11T14:06:42.903

A traceroute works by sending packets, each with an increasing TTL (hop limit). Whenever the hop limit is reached the last router will send back an error message telling you about this. The IP addresses you see in a traceroute are what that router uses as its source address in the error message. Although both you and your final destination have public IP addresses it is perfectly possible for a router in between to use a private address when sending its error message.

There can be multiple reasons for this. One is that there is a link between two routers on the path that uses private addresses. That is not a problem. Another reason can be that one of the routers uses a private address as source address for these error messages even though it has a non-private address available as well. (Remember that the difference between public and private addresses is only in our heads. Technically they are both just addresses)

In your case I am guessing it is a combination of the following:

you are sending all traffic (even to the local subnet) through the default gateway
when doing a traceroute to that default gateway it is the final destination so the trace ends
when doing a traceroute to another destination the gateway will forward the packet but use a private address as source for error messages

If not this then the ISP might be doing something special routing/bridging. That can happen on e.g. cable networks.

Sander Steffann

Posted 2014-07-07T10:09:32.293

Reputation: 4 169

If the time of the hop is more than the following hop, for example:

address 1 102.34.56.72 1 ms
address 2 (private) 10.2.45.23 3 ms
address 3 102.34.56.72 1 ms
address 4 178.23.34.88 2 ms

Then I would suspect a man-in-the-middle (spoof), especially if the end addresses in the trace return a no response. Usually, in a spoof attack, the address hop return time after the (spoof) private address, will begin over.

Chuck Salter

Posted 2014-07-07T10:09:32.293

Reputation: 1