MAC address spoofing on VLAN's and impressions from a second-try user
-
You have actually confirmed that allows pulling two IPs via DHCP?
-
Yes, I got 2 IP's!
-
@stephenw10 said in MAC address spoofing on VLAN's and impressions from a second-try user:
You have actually confirmed that allows pulling two IPs via DHCP?
@Rai80 said in MAC address spoofing on VLAN's and impressions from a second-try user:
Yes, I got 2 IP's!
I can confirm this works!
I'm now using a single-NIC Intel NUC as my home router, pulling 5 IPs from my ISP via DHCP and even load-balancing over them (yes... my ISP messed up giving me 100/100 per IP :)).
For years I thought this wasn't possible with pfSense, believing it had to be run virtualized in order to pull this off. But here I am, running a single-NIC bare metal.
Thank you @Rai80. -
Please show the output from ifconfig. If public addresses, feel free to edit the network part.
-
I am not familiar with the promiscous option.
But what I read from this:
Usually, your network interfaces will only pass the packets they are programmed to pass to your CPU. In promiscuous mode, your network interfaces will catch every single packet it receives on an interface.So, isn't here a performance downside to this usage?
-
@JKnott
Here you go.
em0.10 - LAN vlan
em0.101-105 WAN vlansShell Output - ifconfig em0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=1209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> ether e4:ee:1a:xx:xx:xx hwaddr c0:3f:d5:xx:xx:xx inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0 prefixlen 64 scopeid 0x1 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active em0.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether e4:ee:1a:xx:xx:xx inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.10 prefixlen 64 scopeid 0x6 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 10 vlanpcp: 0 parent interface: em0 groups: vlan em0.101: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 1c:b7:2c:xx:xx:xx inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.101 prefixlen 64 scopeid 0x7 inet xxx.xxx.xxx.8 netmask 0xffffff00 broadcast xxx.xxx.xxx.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 101 vlanpcp: 0 parent interface: em0 groups: vlan em0.102: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 1a:c9:8e:xx:xx:xx inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.102 prefixlen 64 scopeid 0x8 inet xxx.xxx.xxx.17 netmask 0xffffff80 broadcast xxx.xxx.xxx.127 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 102 vlanpcp: 0 parent interface: em0 groups: vlan em0.103: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 90:1b:0e:xx:xx:xx inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.103 prefixlen 64 scopeid 0x9 inet xxx.xxx.xxx.47 netmask 0xfffffe00 broadcast xxx.xxx.xxx.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 103 vlanpcp: 0 parent interface: em0 groups: vlan em0.104: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether fe:b3:33:xx:xx:xx inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.104 prefixlen 64 scopeid 0xa inet xxx.xxx.xxx.240 netmask 0xffffff00 broadcast xxx.xxx.xxx.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 104 vlanpcp: 0 parent interface: em0 groups: vlan em0.105: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether e4:ee:1a:xx:xx:xx inet6 fe80::xxxx:xxxx:xxxx:xxxx%em0.105 prefixlen 64 scopeid 0xb inet xxx.xxx.xxx.230 netmask 0xfffffe00 broadcast xxx.xxx.xxx.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 105 vlanpcp: 0 parent interface: em0 groups: vlan -
First off, there's no need to hide the MAC address it's never seen beyond the local LAN. The only instance where you might be worried is when you use IPv6 and MAC based addresses. Other than that, it's irrelevant.
Now, I've noticed some curious things.
- You have one (em0.10) that's 192.168.1.1. Why didn't it get a public address?
- em0 has no IPv4 address. Why not?
- The different VLANs have different subnet mask lengths and broadcast addresses. How is this possible with the same DHCP server?
- em0.103 & ,105, the broadcast address does not match the subnet mask.
What happens if you ping those addresses from outside?
-
@JKnott
They're on the WAN side and visible to my ISP (except for em0.10), in other than that I agree ^^ The chances are slim. I know.- em0.10 is my LAN vlan.
- It's just the way I set it up. em0.10 is my LAN vlan. They all get untagged in the switch anyway.
- Different DHCP servers and subnets. Ask my ISP... :-) I had to release/renew probably a hundred times in order to get each public IP on its separate subnet, in order for the gateway group/load balance to work.
- See 3. em0.103 & 105 netmasks are fffffe00, em0.102 ffffff80, em0.101 & 104 ffffff00.
-
@Wikai said in MAC address spoofing on VLAN's and impressions from a second-try user:
Different DHCP servers and subnets. Ask my ISP... :-) I had to release/renew probably a hundred times in order to get each public IP on its separate subnet, in order for the gateway group/load balance to work.
Then it's not stable. If you have a power failure, will you get the same when you boot up?
See 3. em0.103 & 105 netmasks are fffffe00, em0.102 ffffff80, em0.101 & 104 ffffff00.
You have fe.00 on some with broadcast .255 and others ff. If your broadcast is actually x.x.x.255, you mask must be ffffffffff00
Fire up Packet Capture and filter on DHCP. Then disconnect/reconnect the WAN cable and see if you have different MACs for each VLAN. You'll want to download the capture, so that you can examine it with Wireshark.
-
Then it's not stable. If you have a power failure, will you get the same when you boot up?
Yes. I've been running the same setup but on a multi-NIC machine for over a year with no issues.
My ISP reserves the IPs for each MAC address for up to 24 hours I believe. The release/mac-spoof/renew was only for the initial setup.
I carried the spoofed MAC addresses over to my new setup (the NUC) to make sure I didn't have to do it again.You have fe.00 on some with broadcast .255 and others ff. If your broadcast is actually x.x.x.255, you mask must be ffffffffff00
IP xxx.xxx.7.47
Gateway xxx.xxx.6.1
Netmask 255.255.254.0
Broadcast xxx.xxx.7.255Fire up Packet Capture and filter on DHCP. Then disconnect/reconnect the WAN cable and see if you have different MACs for each VLAN. You'll want to download the capture, so that you can examine it with Wireshark.
Don't have the time right now. I'll reply again later.
-
@JKnott
Here's a montage of a packet capture on my WAN5 (em0.105) as i disconnect and reconnect the cable between the switch and single NIC.
It seems I've misconfigured something as I'm able to see the DHCP requests of the other vlans on the packet capture of WAN5.
It seems to be working fine, but this shouldn't be happening if the vlans truly were isolated, right?As you can see in frame 61 the spoofed vlan MAC shows up as source in the request and in frame 64 it's ACK'd.
Edit: Here's a pic of a speedtest on a site that supports measuring via web sockets. I'm supposed to only have 100/100 :-)
-
The DHCP request should not be on the same VLAN. From where did you do this capture?
On the primary interface you should see VLAN ID's.
-
@Rai80
Capture was done on one of the WAN vlan interfaces.
I don't even have the primary interface (em0) assigned in pfSense. I'm only using its vlans for my setup (em0.10 LAN, em0.101-105 WANs) which then get untagged in my switch.I'll try to explain my setup.
Grab a seat. This is probably the weirdest home pfSense setup you'll come across.I've got a 100/100 Mbps FTTH connection with 5 public IPs through DHCP.
About 2 years ago I was amazed to find out I could actually pull 100/100 Mbps per public IP (probably misconfig on my ISP's part...)
So I built my first pfSense box with a total of 6 Intel NICs (5 WAN, 1 LAN) and setup a WAN load balance, which gave me 500/500 Mbps in applications that support connections over multiple sockets.I recently got my hands on a cheap Intel NUC. Tiny fella with AES-NI support.
Downside? Only 1 NIC. So I thought I'd give VLANs a go.
I googled for info and people kept saying it'd have to be run virtualized (in order to get unique MACs for each vlan interface).
Then I found your post and decided to give it a try.
So yesterday I installed pfSense on the NUC and played around with VLANs for the first time, and this is the setup I came up with (pic below).I'm actually not having any issues with it (so far). I just wanted to confirm that your mwexec-method of giving the VLAN interfaces their own MAC addresses does in fact work :-)
-
So I built my first pfSense box with a total of 6 Intel NICs (5 WAN, 1 LAN)
Is that what you were using? I thought you had a single interface with multiple VLANs that were getting their own IPs, something that shouldn't be happening with VLANs on a single interface.
Also, a tip, when you use Wireshark to display the capture, turn on the VLAN ID, so we know which VLAN you're referring to. A sketch would also be useful, so that we know what you're actually doing.
If you're using multiple NICs, then you're doing nothing different than what I do here, when I plug a computer into the 2nd port on my cable modem and get an address.
-
@JKnott
No, that's my old setup.
I've replaced it with a single-NIC Intel NUC using vlans. Finish reading the post :D (There's an image in the spoiler)
