2.4 : broadcast packets from lan in wan firewall log

LucaTo

In firewall logs I see, associated to WAN firewall rules, entries related to packet coming from LAN interface having destination lan broadcast address (in my case 192.168.1.255)
please note: this happens even if I create a rule (in LAN) to block all ingress packet having 192.168.1.255 destination, seems that broadcast traffic from lan are see by firewall also like coming/ingress from wan.
No trace of this in previous 2.3.3/2.3.4

firewall_log.jpg_thumb

jimp

That can only happen if those packets enter your WAN. Your WAN and LAN(s) all appear to be on the same switch/layer 2 without proper segmentation.

LucaTo

thank for your reply
In this case It seems impossible, the wan interface is not connected with lan switch ma directly to a vdsl modem (IPoE, DHCP, modem in bridged mode).

jimp

The packets have to be entering that interface somehow, and not even a bridge on the firewall could do that. Something must be sending the packets into that interface at layer 2.

kpa

Post the output of 'ifconfig' as run from Diagnostics->Command Prompt->Execute Shell Command

LucaTo

igb0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=6400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6>ether a0:36:9f:::**
inet6 fe80::a236:9fff:fe**:%igb0 prefixlen 64 scopeid 0x1
inet6 2001:b07:::10 prefixlen 72
inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=6400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6>ether a0:36:9f:::**
inet6 fe80::a236:9fff:fe**:%igb1 prefixlen 64 scopeid 0x2
inet 192.168.3.10 netmask 0xffffff00 broadcast 192.168.3.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=6400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6>ether a0:36:9f:::**
inet6 fe80::a236:9fff:fe**:%igb2 prefixlen 64 scopeid 0x3
inet6 2001:b07:::400::10 prefixlen 72
inet 192.168.4.10 netmask 0xffffff00 broadcast 192.168.4.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=6400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6>ether a0:36:9f:::**
inet6 fe80::a236:9fff:fe**:%igb3 prefixlen 64 scopeid 0x4
inet 192.168.5.10 netmask 0xffffff00 broadcast 192.168.5.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=6400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6>ether a0:36:9f:::**
inet6 fe80::a236:9fff:fe**:%igb4 prefixlen 64 scopeid 0x5
inet 2...226 netmask 0xfffff800 broadcast 2...255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
nd6 options=21 <performnud,auto_linklocal>groups: lo
enc0: flags=41 <up,running>metric 0 mtu 1536
nd6 options=21 <performnud,auto_linklocal>groups: enc
pflog0: flags=100 <promisc>metric 0 mtu 33160
groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
syncpeer: 224.0.0.240 maxupd: 128 defer: on
syncok: 1
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::a236:9fff:fe**:%ovpns1 prefixlen 64 scopeid 0xd
inet 192.168.2.1 –> 192.168.2.2 netmask 0xffffff00
nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
Opened by PID 23577
gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1480
options=80000 <linkstate>tunnel inet 2...226 --> 81...214
inet6 2001:b07:::: --> 2001:b07:::: prefixlen 128
inet6 fe80::a236:9fff:fe**:****%gif0 prefixlen 64 scopeid 0xa
nd6 options=21 <performnud,auto_linklocal>groups: gif</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast></performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast></promisc></performnud,auto_linklocal></up,running></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast>

LucaTo

anyway, I can't explain how and why…. but there is no more trace of "strange" traffic in wan firewall log in the last 12h.