I want to investigate whether there was any communication between terminals across the LAN network.
-
We are using a Netgate 1100, we have two wireless LAN routers under the Netgate distribution, (this is hypothetical) if the contaminated terminal was communicating and attacking another terminal on the LAN network, how can we check the communication logs?
-
@Yet_learningPFSense so this traffic passes across pfsense? Devices on the same network talking to each other - pfsense has no insight into this traffic.
If traffic passes through pfsense, then you could log traffic if you wanted, or specific traffic that is allowed. Or you could look in the state table for any current traffic, etc.
-
@johnpoz Thank you. Yes, the terminal under the wireless LAN parent (assuming it is contaminated) its traffic is passing through pfsense. I will try to check in the state table. Alternatively, you may be able to search for the IP address in question in other, Firewall logs and see if it is accessing the IP addresses of other terminals.
-
@Yet_learningPFSense so your wireless lan routers is on a different vlan this what what your calling your lan network?
if your not routing traffic through pfsense - pfsense is not going to see lan to lan traffic.
-
@johnpoz Sorry, I didn't explain myself well enough and misquoted you. Two wireless LAN routers (and the terminals under their control) are indeed different vlan. At home, there are two lines, SoftbankAir and FLET'S Hikari, but FLET'S Hikari (which is connected to multiple devices, and port-based VLAN is set so that wireless LAN parent devices cannot communicate with each other) is currently unavailable, and the devices with port-based VLAN -> PFsense -> QFsense -> SoftbankAir. SoftbankAir and connected to a Softbank-only network to which only one QubesOS PC was connected.
Port-based VLANs were only used for communication between 1-2, 1-3, 1-4 and 1-5, 1 to the LAN port of PFsense (OPT is dedicated to Admin and you cannot enter Admin unless you connect to this port) and 1-4 for all wireless LAN parent devices that are connected to a hub, The WAN port of PFSense is connected to SoftbankAir. So we know that communication cannot be sent across the port-based VLAN devices, but we were wondering if it is possible to attack via PFsense or via SoftbankAir's router function". It is a difficult situation to imagine, but we think that such an attacker might have such a method.
-
@Yet_learningPFSense I 'm sorry to interfere, but, what is even QFSense?
-
@NightlyShark Sorry, I made a post-translation check error on DeepL and assumed QFSense. The correct name is VLAN -> PFSense -> SoftbankAir. But it would be interesting if there were multiple software router OSs in one router and you could switch between them via GUI. I imagined that it would be a good idea.
-
@Yet_learningPFSense said in I want to investigate whether there was any communication between terminals across the LAN network.:
But it would be interesting if there were multiple software router OSs in one router
I use to have this sort of thing setup when I was running pfsense on esxi. I could switch between stable and dev/snapshot versions of pfsense. Any any other router distro playing with.
I just setup them all to use the same mac for the their wans that was connected to my cable modem - so the cable modem didn't see a change.. Nor my isp so same IP all the time, etc.
Now you couldn't run them at the same time, but switch between one router version and another was as simple as turning off vm X and turning on vm Y..
With zfs and new features, it should be fairly easy to say boot X.A version of pfsense or X.B version
If you have this
VLAN -> PFSense -> SoftbankAirAnd you want to know if anything from vlan went or tried to go to SoftbankAir - just set your rules on your vlan interface to log all traffic your interested in seeing.. out of the box all default deny is logged... But you can also set allow to be logged, or any specific rules to log.
Keep in mind that any existing traffic wouldn't be logged, until a new session is created. So you might want to clear all states, or at least validate there are no existing states that you might want to have logged going forward. Kill off any such states.
-
@johnpoz Thank you. That's great, I didn't realize that something like QubesOS could switch software routers almost at the touch of a button. It would be possible to switch the software router when the attacker sends a packet and tries to guess the router type, and then switch the software router when the packet arrives to disrupt it (although I don't think such an acrobatic thing is realistic).
The VLAN equipment is a NETGEAR switching hub, so I don't think it has logging capabilities, but if it has mirroring capabilities, I might be able to set up a box for analysis so that I can look at the logs separately there. Alternatively, I don't often log into PFSense unless there is a problem, but I have ntopng installed and would like to be able to check it even roughly here.
-
It would probably be better to pretend to be some other router or in fact to not expose anything that allows determining the router type at all. IMO
