Udp broadcast flood that kill my network
-
yes, it seems a loop or something similar.
But I can't explain tecnically this.
I don't have any bridge configured.
I'm a free man and I can connect multiple interface to the same L2 without causing a loop.
why a pf rule does "copy"packets to/from interfaces and create this behaviour?
I'm not the only person that reported this issue.
If someone can clarify this…
Thanks
Matteo
-
What language do you speak? If it's not english try another segment of this forum that would have your language.
-
My friend, I apologize for my poor English but I can say that you are poor of technical skill in this topic.
Bridging is one thing (http://en.wikipedia.org/wiki/Bridging_%28networking%29)
Forwarding is another (http://en.wikipedia.org/wiki/Packet_forwarding)These things are not to be confused.
I'm not alone as I reported another post on this forum that have my same issue. If you have doubt you can read also that post.
If you cannot help please shut.
Have a nice day, my friend
M.
-
"If you cannot help please shut."
I do hope that someone will tolerate your rudeness. In the meantime you could read and search through this page to find the answer on your own.
https://doc.pfsense.org/index.php/Special:Categories
You could also become a Gold member to have access to the guide for the latest version of Pfsense. Other than that it might be wise to be more cordial and perhaps someone will come in to help.
Have a good day:)
-
I don't know the firewall rules like "pass in quick on em0 …", but if you have both interfaces on the same broadcast domain and you quickly forward any packet from the broadcast domain back to the same broadcast domain, you have a loop.
Maybe you should link a diagram.
-
Hi Harvy66 exactly, these rules are doing something that is not so evident.
These rules are strictly applied to em0 so why something happen that is related to em1?
Also "forwarding packets" in networking terms does not mean "read UDP broadcast packet, duplicate them and forge with your own mac-address, inject on the network". This behavior seems really to a bridge issue. :o
If you configure two interfaces on the same L2 network, for example in Linux or Cisco IOS, you are not able to kill your network with some simple firewall rules :o This is the power of FreeBSD ? ???
Probably only who have a good knowledge of PF internals can understand this… I read quickly the documentation and I don't have much experience on PF. Also I found on PF other strangeness (I wrote another post: https://forum.pfsense.org/index.php?topic=79637)
M.
p.s.: attached the network diagram, it's very simple
![Untitled Diagram (1).png](/public/imported_attachments/1/Untitled Diagram (1).png)
![Untitled Diagram (1).png_thumb](/public/imported_attachments/1/Untitled Diagram (1).png_thumb) -
"Forwarding", as a network term, is about routing between two different broadcast domains or subnets. It is generally bad practice to have multiple subnets in the same broadcast domain and it's bad practice to effectively plug your WAN port into your LAN port.
You're not following convention.
- Packet received on Broadcast Domain 1
- Packet forwarded to Broadcast Domain 1
- Goto 1
Sounds an awful a lot like a loop to me.
-
Is this related to what your L2 is supposed to do? But it doesn't work on Pfsense?
http://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/116266-configure-l2-00.html
-
Is this related to what your L2 is supposed to do? But it doesn't work on Pfsense?
http://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/116266-configure-l2-00.html
My scenario was produced accidentally for testing purpose, it's a POC, clearly does not have sense but I'm worried by this.
I want to understand why a simple pass PF rule (that literally say "accept traffic from em0 interface") can kill the whole network if there is also another nic em1 interface connected to the same L2. This not have sense technically.
Thanks,
M.
-
Is the L2 gateway the same as the pfsense gateway?
Such as L2 gateway = 192.168.1.1 and Pfsense gateway = 192.168.1.1
If it is then I can see why there would be difficulties. Like all hardware firewalls, Pfsense works best on the perimeter by directly recieving an ip address by way of DHCP from the ISP.