Solved: Unknown servers on VLAN

johnpoz

@lewis you want really weird... Is when the DC uses public IP space internally, that is not theirs ;)

Lets just say I know a DC (multiple actually) where they leverage some of the DOD space internally in the DC.. So while tracing stuff that is internally to the DC you might see rfc1918, rfc1918, DOD space IP, rfc1918, where you traced too..

Your like WTF ;) I tried telling them hey that not really a good idea... But who am I some lowly network engineer from some backwater LBU.. Who am to question the almighty powers that be.. They don't need to get to those networks, none of their customers need to get to those networks (they hope).. And it frees up rfc1918 space they would of used that their customers can now use.. Now if those networks ever leaked out via bgp - they would be in some shit for sure..

I tried bringing it up multiple times - wasn't going to be a hill I died on, and just let it drop.. Ok you clearly no better than me ;) hehehe

edit: So I just scanned that 10 IP in my isp network, and I get back this is open

[22.01-RELEASE][admin@sg4860.local.lan]/var/db: nmap -Pn 10.52.33.194 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-15 10:34 CDT
Nmap scan report for 10.52.33.194
Host is up (0.013s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
646/tcp open  ldp

Nmap done: 1 IP address (1 host up) scanned in 127.12 seconds

If I had to guess since LDP is used for exchanging labels in a mpls network, that is one of their routers and why I see it in my trace.. Now is that an optimal setup - prob not ;) But prob not a big deal because onlything that could possible get to that would be stuff internal to the isp network, or clearly their customers ;) hehehe

lewis

@johnpoz LOL, sometimes we get into trouble just for being curious I guess. But on the other hand, if no one ever questioned anything, things would come apart. Where is the balance? In your pay level maybe? :)

lewis

DC tells me it's their own hardware and as someone mentioned, because I was scanning all interfaces.

Thank you for the responses. Always learning :).

johnpoz

@lewis said in Unknown servers on VLAN:

because I was scanning all interfaces.

From the command you showed it wouldn't be scanning all interfaces, other then the interfaces you had that were in the networks you scanned. And then it would just send networks that were not directly attached out your default gateway. Which would be routed through your DCs network via your default gateway.

lewis

There are three NICs connected in the pfsense box.
One is WAN and two are LANs. All are of course routed internally so I'm sure LAN/WAN meet here and there.

When I ran the nmap, I didn't specify an interface but I did specify a network.

johnpoz

@lewis said in Unknown servers on VLAN:

When I ran the nmap, I didn't specify an interface but I did specify a network.

Exactly - so if you scanned 192.168/16 and you had say 2 lan networks of say 192.168.100/24 and 192.168.200/24

It would scan those 2 networks because they are directly attached sending the traffic out those interface. But when it say scanned 192.168.101/24 out of your 16 it would of sent that to the default gateway out the wan.

As to lan/wan meeting??

If you scanned 10/8 and you had no interfaces in a 10.x network and or no other routes to get to 10.x then all of that traffic would of been sent to the default gateway.

lewis

@johnpoz said in Unknown servers on VLAN:

If you scanned 10/8 and you had no interfaces in a 10.x network and or no other routes to get to 10.x then all of that traffic would of been sent to the default gateway.

Yes, there were no replies from anything in the 10 network.
What I mean by LAN/WAN meeting is probably wrong. I was told by the DC that the LAN and WAN are fully separated networks within the infrastructure.

johnpoz

@lewis said in Unknown servers on VLAN:

DC that the LAN and WAN are fully separated networks within the infrastructure

Wells your "lans" are completely isolated because they are behind pfsense ;) into your own switches that do not connect to anything else other than your devices - right?

lewis

@johnpoz said in Unknown servers on VLAN:

Wells your "lans" are completely isolated because they are behind pfsense ;) into your own switches that do not connect to anything else other than your devices - right?

Not exactly since I have two LAN connections and one WAN connection. The WAN is just that but one LAN goes into my own switch and the other LAN goes to the DC's internal LAN network where I am given a private VLAN that acts as my own LAN in the DC.

Hope that makes sense :)

johnpoz

@lewis said in Unknown servers on VLAN:

LAN goes to the DC's internal LAN network where I am given a private VLAN that acts as my own LAN in the DC.

Ah well then it could be possible for stuff to be on this network that you might not want on what is "your" network... So as suggested would check this network for devices that are not yours. You could do a arp scan, this is way better then doing a nmap scan.. Since you could scan for really any network at all that are on the same L2 (vlan)..

https://www.freebsd.org/cgi/man.cgi?query=arp-scan&sektion=&manpath=freebsd-release-ports

-arpspa=<s> or -s <s>
Use <s> as the source IP address. The address should be specified in dotted quad format; or the string "dest", which sets the source address to be the same as the target host address. This sets the 32-bit ar$spa field in the ARP packet. Some operating systems check this, and will only respond if the source address is within the network of the receiving interface. Others don't care, and will respond to any source address. By default, the outgoing interface address is used.

You could just install the freebsd port onto pfsense if you have no other say linux box on this "dc" vlan that is one of your lan networks.

You could also get sneaky and set van IDs in your arp scan to see if you can jump vlans. Which would be bad in a DC..

But also just running a packet capture looking for arps on this network and see if you see any arps from stuff that is not yours on this dc "lan" network would be way to check as well.

lewis

Using arp, I see only my own stuff. I'll spend more time on this once I get everything else done. That way, it'll be a complete working config and hopefully, very secure as promised.

johnpoz

@lewis yeah arp scanning is very fast, and most anything is going to answer an arp, even if firewall blocking all protocols and ping, etc. Only problem with that sort of scan is you have to be on the same L2..

But for what your looking for its prob more in line with what your looking to do..

lewis

@johnpoz said in Unknown servers on VLAN:

@lewis yeah arp scanning is very fast, and most anything is going to answer an arp, even if firewall blocking all protocols and ping, etc. Only problem with that sort of scan is you have to be on the same L2..

But for what your looking for its prob more in line with what your looking to do..

Yes, basically just wanting to make sure I have my own relatively secure LAN (VLAN) network.

I'll do it again once everything is up.