TL;DR
Yes, it’s possible for devices with Local Area Network (LAN) IP addresses to be visible on the internet. This is usually a misconfiguration and poses a serious cyber security risk. Here’s how to check if your LAN IPs are exposed and what to do about it.
How To Check For Exposed LAN IPs
- Understand Your Network
- Your router assigns private IP addresses (like 192.168.x.x, 10.x.x.x, or 172.16-31.x.x) to devices on your home or office network – these are LAN IPs.
- These IPs shouldn’t be directly accessible from the internet. Your router acts as a gateway, translating them to a public IP address when communicating externally.
- Use an Online Scanning Tool
Several websites can scan for publicly visible ports on your public IP address. These scans can reveal if any services running on devices with LAN IPs are reachable from the internet.
- Shodan: https://www.shodan.io/ – Search for your public IP address to see what’s exposed.
- WhatIsMyIPAddress: https://whatismyipaddress.com/port-scan – Offers a simple port scan tool.
- Scan From Your Own Network (More Reliable)
Scanning from *within* your network is more accurate as it avoids potential issues with internet firewalls blocking the scan.
- Nmap: A powerful network scanner. Install it if you don’t have it already.
sudo apt install nmap # Debian/Ubuntubrew install nmap # macOS (using Homebrew) - Run a scan against your public IP address. First, find your public IP:
curl ifconfig.meThen scan it:
nmap -p 1-65535 <your_public_ip>This scans all ports (1 to 65535). It will take a while.
- Look for open ports that you don’t expect or recognise. Common culprits include remote desktop services (RDP), SSH, and file sharing protocols.
- Nmap: A powerful network scanner. Install it if you don’t have it already.
- Check Your Router’s Port Forwarding Settings
Port forwarding directs traffic from a specific port on your public IP to a specific device and port on your LAN.
- Log in to your router’s administration interface (usually via a web browser – check your router’s manual for the address, often 192.168.1.1 or 192.168.0.1).
- Navigate to the “Port Forwarding,” “Virtual Server,” or similar section.
- Review all configured port forwarding rules. Remove any unnecessary rules that expose LAN IPs directly to the internet.
- UPnP (Universal Plug and Play)
UPnP allows devices on your network to automatically open ports in your router’s firewall. This can be convenient, but also a security risk.
- Disable UPnP in your router’s settings if you don’t need it.
- Firewall Configuration
Ensure your router’s firewall is enabled and properly configured. Most routers have a basic firewall enabled by default, but check the settings.
- Device Security
- Keep all devices on your network updated with the latest security patches.
- Use strong passwords for all accounts.
- Consider using a separate guest network for visitors to isolate them from your main network.