MAC address spoofing on VLAN's and impressions from a second-try user

Aaargh

@awebster:

What you are looking to do isn't supported by the underlying operating system

But it is supported by the underlying hardware, so this is a failure of the underlying OS.

Sure, there are workaround possible but then I would have to buy additional hardware just to do something the existing hardware already supports. It adds more possible points of failure, etc.

What I'm actually doing is going back to Linux and checking back in a few years.

Aaargh

@NogBadTheBad:

Yup it changes the parent interfaces and all the vlan interfaces assigned to it.

It seems weird to me. It's such a basic feature to support multiple virtual interfaces per physical interface. It's used extensively in virtualisation for example, and most NIC's explicitly support having multiple MAC's. IIRC the i210's on my box support up to 16 MAC's.

awebster

But it is supported by the underlying hardware, so this is a failure of the underlying OS.

FreeBSD, the underlying OS, is not pfSense.  If you want the underlying OS to support the hardware the way you want it to, I suggest you take that up in the FreeBSD forums.

Aaargh

@awebster:

But it is supported by the underlying hardware, so this is a failure of the underlying OS.

FreeBSD, the underlying OS, is not pfSense.  If you want the underlying OS to support the hardware the way you want it to, I suggest you take that up in the FreeBSD forums.

PFSense made the decision to build their stuff on top of FreeBSD. PFSense as a whole is the product they are selling, who supplies their parts is not my concern. All I see as an end-user is that PFSense as a product can not support my fairly trivial use-case. It's also lacking support for other essential features. E.g. no support for fq_codel.  It looks to me like PFSense as a router OS is still a bit of a toy and not a real serious product.

dotdash

Dude,
I'm sorry that something that you got completely free didn't work for your home setup. You could just go back to your Linux box and call it a day instead of starting a troll thread. While it would be good to support this, getting dhcp on two vlans has never been a requirement in any business case I've seen. If you think it's a toy, go ahead and use something else, but it works just fine for many others in home and business environments. I don't know why you want to keep checking back when you obviously think the software sucks.

Nullity

@Aaargh!:

@awebster:

But it is supported by the underlying hardware, so this is a failure of the underlying OS.

FreeBSD, the underlying OS, is not pfSense.  If you want the underlying OS to support the hardware the way you want it to, I suggest you take that up in the FreeBSD forums.

PFSense made the decision to build their stuff on top of FreeBSD. PFSense as a whole is the product they are selling, who supplies their parts is not my concern. All I see as an end-user is that PFSense as a product can not support my fairly trivial use-case. It's also lacking support for other essential features. E.g. no support for fq_codel.  It looks to me like PFSense as a router OS is still a bit of a toy and not a real serious product.

FYI, fq_codel is support will be included in pfSense 2.4, since it is based on FreeBSD 11 which added fq_codel.

http://caia.swin.edu.au/freebsd/aqm/

I understand that you have complaints (who doesn't?) but you seem like you are a bit more focused on finding reasons to complain rather than finding solutions to your problems.

I'd be the first to say that Linux has more modern networking features and if that's what you want/need, there's nothing wrong with choosing Linux, but I am slightly confused with you saying unconstructive, trollish things like pfSense "is still a bit of a toy and not a real serious product".

johnpoz

Can you not just set mac on a vlan like this?

ifconfig vlan0 lladdr fe:e1:ba:d0:84:0e

This would be a very unique case that you would need to do such a thing - but simple test shows it works

[2.4.0-BETA][root@pfsense.local.lan]/root: ifconfig em2_vlan900
em2_vlan900: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=3 <rxcsum,txcsum>ether 00:50:56:00:00:03
        inet6 fe80::250:56ff:fe00:3%em2_vlan900 prefixlen 64 scopeid 0xe
        inet 192.168.99.253 netmask 0xffffff00 broadcast 192.168.99.255
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 900 vlanpcp: 0 parent interface: em2
        groups: vlan
[2.4.0-BETA][root@pfsense.local.lan]/root: ifconfig em2_vlan900 lladdr fe:e1:ba:d0:84:0e
[2.4.0-BETA][root@pfsense.local.lan]/root: ifconfig em2_vlan900
em2_vlan900: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=3 <rxcsum,txcsum>ether fe:e1:ba:d0:84:0e
        inet6 fe80::250:56ff:fe00:3%em2_vlan900 prefixlen 64 scopeid 0xe
        inet 192.168.99.253 netmask 0xffffff00 broadcast 192.168.99.255
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 900 vlanpcp: 0 parent interface: em2
        groups: vlan
[2.4.0-BETA][root@pfsense.local.lan]/root:

You would most likely need to do something or that would not survive a reboot.  I would just add a new nic if I need two different mac on the wan side of pfsense.</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast>

jahonix

@johnpoz:

Can you not just set mac on a vlan like this?

Check it yourself … you'll find that only one of those MACs (last or first, I don't remember) gets used on all VLANs.

voxeljorz

@jahonix:

@johnpoz:

Can you not just set mac on a vlan like this?

Check it yourself … you'll find that only one of those MACs (last or first, I don't remember) gets used on all VLANs.

It's the last VLAN MAC address used.

Rai80

I'm facing the same problem with my new ISP. This new ISP delivers internet on VLAN34 and IPTV on VLAN4. Both interfaces request an IP by DHCP. But they need there own MAC address to get on both VLAN's an IP address. To solve this I created a bridge and added 1 member interface. In my case for VLAN4. After creating the bridge you can change the MAC address of the bridge interface.

JKnott

What Linux distro makes it so easy to spoof MACs, let alone with different VLANs? I've been using Linux for over 20 years (currently openSUSE) and don't ever recall such a thing. While it may be possible with ifconfig or other utilities, spoofing the MAC isn't even included in the network settings, in openSUSE. Also, the only difference between a VLAN frame and a native LAN frame is the VLAN tag, which is included in the frame payload that's passed to the NIC. I don't know that there's any way to change the MAC, as that's done in the NIC, not in data fed to it. Has anyone else seen this in Linux or elsewhere?

In looking at the man page for the IF command (replacement for deprecated ifconfig), there is something called Virtual Function (VF), where things such as MAC or VLAN can be set, but no indication that the MAC can be set differently per VLAN.

BTW, is the ifconfig in Linux that different from the one in BSD?

Rai80

For anyone looking or a solution/workaround to this. Add the following in the top section of /etc/inc/interfaces.inc:

mwexec("/sbin/ifconfig igb0 promisc");
mwexec("/sbin/ifconfig igb0.4 promisc");
mwexec("/sbin/ifconfig igb0.4 ether 00:aa:bb:cc:dd:ee");

stephenw10

You have actually confirmed that allows pulling two IPs via DHCP?

Rai80

Yes, I got 2 IP's!

Wikai

@stephenw10 said in MAC address spoofing on VLAN's and impressions from a second-try user:

You have actually confirmed that allows pulling two IPs via DHCP?

@Rai80 said in MAC address spoofing on VLAN's and impressions from a second-try user:

Yes, I got 2 IP's!

I can confirm this works!
I'm now using a single-NIC Intel NUC as my home router, pulling 5 IPs from my ISP via DHCP and even load-balancing over them (yes... my ISP messed up giving me 100/100 per IP :)).
For years I thought this wasn't possible with pfSense, believing it had to be run virtualized in order to pull this off. But here I am, running a single-NIC bare metal.
Thank you @Rai80.

JKnott

@Wikai

Please show the output from ifconfig. If public addresses, feel free to edit the network part.

GertJanT

I am not familiar with the promiscous option.
But what I read from this:
Usually, your network interfaces will only pass the packets they are programmed to pass to your CPU. In promiscuous mode, your network interfaces will catch every single packet it receives on an interface.

So, isn't here a performance downside to this usage?

Wikai

@JKnott
Here you go.
em0.10 - LAN vlan
em0.101-105 WAN vlans

Shell Output - ifconfig
em0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
	options=1209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
	ether e4:ee:1a:xx:xx:xx
	hwaddr c0:3f:d5:xx:xx:xx
	inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0 prefixlen 64 scopeid 0x1
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	
em0.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether e4:ee:1a:xx:xx:xx
	inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.10 prefixlen 64 scopeid 0x6
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 10 vlanpcp: 0 parent interface: em0
	groups: vlan
	
em0.101: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 1c:b7:2c:xx:xx:xx
	inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.101 prefixlen 64 scopeid 0x7
	inet xxx.xxx.xxx.8 netmask 0xffffff00 broadcast xxx.xxx.xxx.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 101 vlanpcp: 0 parent interface: em0
	groups: vlan
	
em0.102: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 1a:c9:8e:xx:xx:xx
	inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.102 prefixlen 64 scopeid 0x8
	inet xxx.xxx.xxx.17 netmask 0xffffff80 broadcast xxx.xxx.xxx.127
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 102 vlanpcp: 0 parent interface: em0
	groups: vlan
	
em0.103: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 90:1b:0e:xx:xx:xx
	inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.103 prefixlen 64 scopeid 0x9
	inet xxx.xxx.xxx.47 netmask 0xfffffe00 broadcast xxx.xxx.xxx.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 103 vlanpcp: 0 parent interface: em0
	groups: vlan
	
em0.104: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether fe:b3:33:xx:xx:xx
	inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.104 prefixlen 64 scopeid 0xa
	inet xxx.xxx.xxx.240 netmask 0xffffff00 broadcast xxx.xxx.xxx.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 104 vlanpcp: 0 parent interface: em0
	groups: vlan
	
em0.105: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether e4:ee:1a:xx:xx:xx
	inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.105 prefixlen 64 scopeid 0xb
	inet xxx.xxx.xxx.230 netmask 0xfffffe00 broadcast xxx.xxx.xxx.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 105 vlanpcp: 0 parent interface: em0
	groups: vlan

JKnott

@Wikai

First off, there's no need to hide the MAC address it's never seen beyond the local LAN. The only instance where you might be worried is when you use IPv6 and MAC based addresses. Other than that, it's irrelevant.

Now, I've noticed some curious things.

1. You have one (em0.10) that's 192.168.1.1. Why didn't it get a public address?
2. em0 has no IPv4 address. Why not?
3. The different VLANs have different subnet mask lengths and broadcast addresses. How is this possible with the same DHCP server?
4. em0.103 & ,105, the broadcast address does not match the subnet mask.

What happens if you ping those addresses from outside?

Wikai

@JKnott
They're on the WAN side and visible to my ISP (except for em0.10), in other than that I agree ^^ The chances are slim. I know.

1. em0.10 is my LAN vlan.
2. It's just the way I set it up. em0.10 is my LAN vlan. They all get untagged in the switch anyway.
3. Different DHCP servers and subnets. Ask my ISP... :-) I had to release/renew probably a hundred times in order to get each public IP on its separate subnet, in order for the gateway group/load balance to work.
4. See 3. em0.103 & 105 netmasks are fffffe00, em0.102 ffffff80, em0.101 & 104 ffffff00.