Broadcast packets duplicated across VLAN
-
@nazuro said in Broadcast packets duplicated across VLAN:
I am dreading the thought of starting again if I'm honest. Am seemingly so close with the perfect setup for me it's just these damn broadcast packets that seem to get duplicated. Perhaps I have a dodgy switch or NIC on my pfSense box. I just can't think what else could cause these duplicated broadcast packets.
The thing is I don't think you really have it configured correctly. I can see only 2 things that should be VLANs, guest WiFi and IoT. I still have absolutely no idea why your VPN is on a VLAN, when it shouldn't even be on the LAN side at all. A VPN is used to connect computers or networks securely over the Internet and normally terminate on the firewall/router.
-
So yeah that doesn't make any sense.. What is this 13.147 address?
And this 11.103 is no way its multihomed? And or could tag traffic? Is it a wired device or wireless?
Pfsense shouldn't ever see that traffic unless sent to its mac (its the gateway).. Unless it was broadcast..
can you get a sniff of this traffic? On pfsense interface and post the pcap..
Those firewall entries are 9 seconds apart, so its not like a duplication of traffic.. It would have to be sent separately. I can't see how something duplicating traffic, or any sort of loop, etc. showing the hits 9 seconds apart..
So to me - these were actually sent by the .103 device to 2 different gateway. Too the vpn pfsense IP, and the main pfsense IP.. How these device could talk to these different pfsense IPs when they are in different vlans makes no sense - if the vlans are correctly isolated and being tagged correctly..
edit: To his vpn vlan, I take it that is just what he is calling this vlan, because he wants to route this out his vpn connection.. That is my take on that name.
edit2: If its a wireless device this 103 device - could it be switching wifi ssids? That could explain sending traffic to vpn vlan gateway on vlan X, and then few seconds latter sending same traffic to vlan Y gateway.
-
Further on this. Several years ago, I had one job that had 3 VLANs. It was a senior citizens residence, occupying 3 towers. In addition to the main native LAN for the office, there were VLANs for VoIP, network management and Internet to the resident's rooms. That is the only time I've had that many VLANs and I don't understand why you need 4.
-
@jknott said in Broadcast packets duplicated across VLAN:
why you need 4.
You don't understand why someone might want to isolate wifi to more than 4 vlans? Come on!
I have 4, and really could use more.. My main trusted vlan, my psk vlan, my roku vlan, and then a guest vlan.
I could see busting out a few more.. I have a few different devices sharing my psk vlan.. I could see breaking those out to different vlans for different devices, etc. For example when I setup some camera's I would want those on their own camera vlan. And I should really break out all my lightbulbs to their own vs being on the same vlan as my other iot devices.. Just lazy and let them share the same vlan..
edit: Thinking about this for a few minutes - my "guess" is this 103 device is wireless and its changing the ssid its connected to. Say for example when it cant get to that 13.147 address via the vpn ssid, it jumps to another ssid to try and get there. That would explain the 9 second span between firewall hits.
-
I can understand why there might be a need for more VLANs. What I don't understand is why he needs 4, based on what he's mentioned. For example, what's with the VPN on a VLAN? Where does the VLAN terminate? If other than on pfsense, that complicates routing. As discussed, the main LAN also shouldn't be on a VLAN. That leaves 2. Sure, I could put my TV on it's own VLAN, but the guest WiFi is good enough for that. Even then, the only reason the TV isn't on my main LAN is it chokes on the 63 character password I use on it. I suppose I could put my IPTV boxes on a separate VLAN, but haven't bothered.
-
@jknott said in Broadcast packets duplicated across VLAN:
what's with the VPN on a VLAN?
My take and have seen many users do this.. They create a vlan, that all devices on this vlan are routed out a vpn connection. So for example if he wants to use the vpn on his phone for "something" he just changes the ssid he is connected to. Maybe netflix doesn't work via the vpn, so when he wants to watch netflix on is phone he changes to different ssid that is not routed out the vpn.
-
I suppose I could give my dog & cat their own VLANs.
-
@jknott clearly - they should not be on the same ;) that is for sure - they would just fight ;)
-
Apologies for any confusion. John is correct that VPN is just what I'm calling my VLAN. It enables me to connect physical / wireless devices to it and that traffic then exits via OpenVPN to the internet via an AirVPN endpoint.
My 11.103 address is MacBook Pro wireless. 13.147 is my iPad. I did just have a particularly bad bout of wireless problems and observed this in the logs. I don't believe my MacBook is switching SSIDs and did previously confirm this by forgetting all SSIDs apart from the Main.
I have followed this guide pretty closely https://nguvu.org/pfsense/pfsense-baseline-setup/. Perhaps I am out of my depth - I am working through CISSP at the moment but still much different in practice than in theory. I found it easier conceptually to leave the parent interface (LAN) as just that, and have four different VLANs that I would use operationally and could easily apply firewall rules to each of the virtual interfaces without interfering with the parent interface.Things do seem quite a bit worse now since I tweaked the Unifi settings and minor changes on the switch. I'm going to try put everything back to how it was, and do more analysis specifically on what I'm seeing with these firewall logs and get another pcap. Appreciate both of your help very much so.
edit: Perhaps if there's some way of me locally tagging traffic from my MacBook on VLAN 11 I could plug directly in to the LAN on pfSense and rule out an issue with the switch.
-
I've just taken a short pcap on LAN port on pfSense. 192.168.11.103 is still my MacBook and I renewed the DHCP lease twice during the pcap pcap7.pcap
-
And here you go.. Here is arp announcement from your apple - tagged with both 11 and 13
Here is your dhcp also 1 tagged 11, other 13
So yes pfsense would see this on both of its vlan interfaces, because the traffic tagged. So either your apple is tagging this traffic, or your wifi is doing it.. But that explains why pfsense is seeing the traffic on both interfaces - because its tagged for both vlans
-
@johnpoz Understood. Problem is it's not just my Apple but also other devices (wired and wireless) including windows too. Must be something happening on the Netgear switch then I suppose, although it's a fairly standard 802.1Q setup I have got going on.
-
What wired device in that sniff? So I can look for those.
Nothing else jumped out at me..
This is ODD.. you have this unifi mac asking for who is 11.1 with 11 and 13 tagged
what is 11.9?
-
@johnpoz 192.168.11.117 in this pcap is wired in to the switch on an Untagged VLAN 11 port (wireless on this laptop is turned off) pcap8.pcap
edit: 11.9 is the IP address of the Unifi AP
-
who is this
asking for 13.100, from 13.1 in both 11 and 13..
Something for sure is all messed up..
-
@johnpoz 00:1b:21:33:9e:e9 is the MAC address of the LAN NIC (igb1) in pfSense. Therefore igb1.1, igb1.2, igb1.3, igb1.4 also share the same MAC address
-
This post is deleted! -
@johnpoz said in Broadcast packets duplicated across VLAN:
asking for 13.100, from 13.1 in both 11 and 13..
Something for sure is all messed up..In case you are interested, I contacted Netgear support and they say it's an issue with my switch:
"As I have this inquired to my senior experts, seems like the behavior of GS116ev2 Plus Switch is causing the issue for the certain VLAN. Since GS116Ev2 does not have native VLAN nor management VLAN ID, any DHCP request is being sent to all ports. As advised and to have this be corrected, Smart Pro switches are recommended."
