I have recently seen in gateway firewall is reporting
detected ICMP TIMESTAMP attack from 192.168.0.112. Dropped 2841 packets.
where 192.168.0.112 is my homeassistant ip, this has started @ 18 June which I believe is when I upgraded to 2025.6.0
This is happening approx @ every 10 mins
Is there a way to fix this on HA end or do I need to add a firewall rule to ignore this?
Are you using uptime monitoring integrations? Maybe Ping (ICMP), etc?
I don’t have the Ping integration setup , but I do have Uptime Kuma, So I am looking into that. However I have had this setup for months and this has only started appearing oin firewall logs since @ 18 june
Ah, I only installed Kuma yesterday by chance.
Can we assume that Kuma and HA are both running on the same host IP via docker? Does the problem stop if you bring Kuma down?
So yes Uptime Kuma running on same host as a HACS add-on, I stopped Uptime Kuma service , but still saw the error in my firewall log, so seems it’s not that
Sorry for all the Q’s. What firewall is it as it seems it might have an IDS component added as that’s not a standard firewall activity, that I can tell? I have SNORT here and I can run some tests.
Its a TP-Link ER605 Router, with standard Firewall config I’ve not modified it , and its controlled via a omada controller.
I have just looked in the HA Core logs and the only thing that correlates with the timing is the BMW connected intergation , which is throwing this issue
Logger: bimmer_connected.api.client
Source: components/bmw_connected_drive/coordinator.py:74
First occurred: 12:30:34 (1 occurrence)
Last logged: 12:30:34
MyBMWAPIError due to HTTPStatusError: {"message":"Request Timeout","statusCode":408}```
So I'm waiitng to see if the next time this error is triggered , it matchesnope false alarm, got the log error in firewall but not the BMW connected error in HA logs
Yeah, that’s not a standard router, it has a number of security functions (SPI, DoS protection…), in the firewall, as well as a VPN.
It just means that most HA users will never see alerts such as this.
I’ll keep digging. Already trying to trigger SNORT by passing a ICMP-TS request through it…
I’ve had this router for aages, however, you might be on to something, I think there may have been a recent firmware update, which might only now be alerting on this report, trying to find the release notes now
I tried triggering an alert through Snort for an ICMP-TS event, but it seems to be filtered as it’s a false positive, so I can’t repro this here if I can’t detect it.
So I found the release notes
2.3.0 Build 20250428 Rel.18967
Version Info:
Firmware for ER605(UN) 2.20. This firmware is fully adapted to Omada Controller V5.15.20.
Minimum FW Version for Update: 2.2.3 Build 20231201 Rel.32918 and above, for downloading of any firmware version, please refer to Omada Download Center.
New Features:
1.SD-WAN
2.Domain name supported for OpenVPN and Wireguard VPN
3.Virtual WAN
4.Disable NAT
5.Google LDAP
6.LAN DNS
7.FQDN/Wildcards WAN DHCP Option
Enhancements:
1.Optimized CPU utilization.
2.Optimized the time to enable backup link.
3.Optimized booting time.
4.Optimized the time to dial up the WAN link.
5.Optimized the time to upgrade FW.
6.Optimized the time to generate OpenVPN profile.
Bug Fixed:
1.Fixed the HTTPS redirection exception in standalone mode.
2.Fixed the issue where the static route for L2TP VPN doesn't take effect after re-enabling L2TP VPN.
3.Fixed the WOL exception when dropping some unknown unicast packets.
4.Fixed the issue where the PPTP VPN would occasionally disconnect.
5.Fixed the issue where the manual ISP profile for USB modem cannot be saved.
It does seem the log messages in the firewall correlate to the last time my router rebooted which was when I did the upgrade , so the reported scenario is likely false positive coming from my firewall so i will create a rule to supress for that host
Use wireshark to see what ICMP packets it complains about.
trying to use tshark on HA itself but having issues will come back to when I can get them resolved. Tried using the packet capture in the Omada controller UI but that is not working either for some reason.