MAC address spoofing on VLAN's and impressions from a second-try user



  • I had a little disaster with my Linux-based router yesterday (the root disk died on me and idiot me didn't have a backup) leaving me without internet or TV. When I originally set up this router, about 2 years ago, I had a look at PFSense and couldn't get it to work correctly on my network due to a bug (you could arguably call it a missing feature) in PFSense.

    So yesterday, wanting to get something up and running quickly, I decided to give PFSense another go.

    My router is build around an Asus P9D-I with integrated i210 NIC's, a Celeron CPU and 4GB of ECC RAM. It's is used as a NAT router for a gigabit fiber connection, as an IGMP proxy for IPTV, as a DHCP server and caching DNS server.

    Sadly, I have to say the issue that I had 2 years ago still isn't resolved and as a result it's impossible to run PFSense as a router for my network.

    The situation: the link to my ISP is a trunked connection with 2 VLAN's. One VLAN is used for Internet, the other is used for IPTV. From the LAN side, both need to be accessible for IPTV to work.

    The problem: On the WAN side, both VLAN's need to use a different MAC address. If I use the same MAC on both VLAN interfaces, only the last one to do DHCP gets network access. On my Linux router, this is easy. It's a single line in the 'interfaces' file to set a different MAC on one of the virtual interfaces and everything works as expected. On PFSense I can enter a MAC address for each virtual interface, but when I bring the interfaces up the second interface to activate overwrites the MAC of the first virtual interface on the same physical network card.

    Some other random impressions/thoughts as second-try user

    • The web interface looks and feels very outdated, I would have expected it to behave more like a web-app instead of each click resulting in a completely new page loading from the server

    • The actual firewall rules are not very transparent, there seem to be a lot of implicit hidden rules that are not visible in the UI. The way the rules are shown per-interface doesn't tell me how a packet traverses the list of rules and where the floating rules fit into the order of things. I feel it takes too much control away from me and I would prefer every rule to be explicit.

    • Ultimately, I was/am uncomfortable with the amount of stuff running on PFSense. There is just way too much going on for my taste, like a webserver running PHP.  I like the idea of having a user-friendly UI to configure stuff, but it should be optional and not be running on the router itself.



  • What you are looking to do isn't supported by the underlying operating system, however, a possible workaround would be to use a second WAN interface, then connect both WAN interfaces to a small switch and plug the ISP's connection into that switch.  Voila, you have 2 MAC addresses on 2 interfaces, which you can configure as you see fit.


  • Galactic Empire

    Yup it changes the parent interfaces and all the vlan interfaces assigned to it.

    I wonder if the interface page should even show the option to change mac and "This field can be used to modify ("spoof") the MAC address of this interface.
    Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx or leave blank." if it's a VLAN.

    I'm going to pop in a redmine.



  • @awebster:

    What you are looking to do isn't supported by the underlying operating system

    But it is supported by the underlying hardware, so this is a failure of the underlying OS.

    Sure, there are workaround possible but then I would have to buy additional hardware just to do something the existing hardware already supports. It adds more possible points of failure, etc.

    What I'm actually doing is going back to Linux and checking back in a few years.



  • @NogBadTheBad:

    Yup it changes the parent interfaces and all the vlan interfaces assigned to it.

    It seems weird to me. It's such a basic feature to support multiple virtual interfaces per physical interface. It's used extensively in virtualisation for example, and most NIC's explicitly support having multiple MAC's. IIRC the i210's on my box support up to 16 MAC's.



  • But it is supported by the underlying hardware, so this is a failure of the underlying OS.

    FreeBSD, the underlying OS, is not pfSense.  If you want the underlying OS to support the hardware the way you want it to, I suggest you take that up in the FreeBSD forums.



  • @awebster:

    But it is supported by the underlying hardware, so this is a failure of the underlying OS.

    FreeBSD, the underlying OS, is not pfSense.  If you want the underlying OS to support the hardware the way you want it to, I suggest you take that up in the FreeBSD forums.

    PFSense made the decision to build their stuff on top of FreeBSD. PFSense as a whole is the product they are selling, who supplies their parts is not my concern. All I see as an end-user is that PFSense as a product can not support my fairly trivial use-case. It's also lacking support for other essential features. E.g. no support for fq_codel.  It looks to me like PFSense as a router OS is still a bit of a toy and not a real serious product.



  • Dude,
    I'm sorry that something that you got completely free didn't work for your home setup. You could just go back to your Linux box and call it a day instead of starting a troll thread. While it would be good to support this, getting dhcp on two vlans has never been a requirement in any business case I've seen. If you think it's a toy, go ahead and use something else, but it works just fine for many others in home and business environments. I don't know why you want to keep checking back when you obviously think the software sucks.



  • @Aaargh!:

    @awebster:

    But it is supported by the underlying hardware, so this is a failure of the underlying OS.

    FreeBSD, the underlying OS, is not pfSense.  If you want the underlying OS to support the hardware the way you want it to, I suggest you take that up in the FreeBSD forums.

    PFSense made the decision to build their stuff on top of FreeBSD. PFSense as a whole is the product they are selling, who supplies their parts is not my concern. All I see as an end-user is that PFSense as a product can not support my fairly trivial use-case. It's also lacking support for other essential features. E.g. no support for fq_codel.  It looks to me like PFSense as a router OS is still a bit of a toy and not a real serious product.

    FYI, fq_codel is support will be included in pfSense 2.4, since it is based on FreeBSD 11 which added fq_codel.

    http://caia.swin.edu.au/freebsd/aqm/

    I understand that you have complaints (who doesn't?) but you seem like you are a bit more focused on finding reasons to complain rather than finding solutions to your problems.

    I'd be the first to say that Linux has more modern networking features and if that's what you want/need, there's nothing wrong with choosing Linux, but I am slightly confused with you saying unconstructive, trollish things like pfSense "is still a bit of a toy and not a real serious product".


  • Rebel Alliance Global Moderator

    Can you not just set mac on a vlan like this?

    ifconfig vlan0 lladdr fe:e1:ba:d0:84:0e

    This would be a very unique case that you would need to do such a thing - but simple test shows it works

    [2.4.0-BETA][root@pfsense.local.lan]/root: ifconfig em2_vlan900
    em2_vlan900: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether 00:50:56:00:00:03
            inet6 fe80::250:56ff:fe00:3%em2_vlan900 prefixlen 64 scopeid 0xe
            inet 192.168.99.253 netmask 0xffffff00 broadcast 192.168.99.255
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            vlan: 900 vlanpcp: 0 parent interface: em2
            groups: vlan
    [2.4.0-BETA][root@pfsense.local.lan]/root: ifconfig em2_vlan900 lladdr fe:e1:ba:d0:84:0e
    [2.4.0-BETA][root@pfsense.local.lan]/root: ifconfig em2_vlan900
    em2_vlan900: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether fe:e1:ba:d0:84:0e
            inet6 fe80::250:56ff:fe00:3%em2_vlan900 prefixlen 64 scopeid 0xe
            inet 192.168.99.253 netmask 0xffffff00 broadcast 192.168.99.255
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            vlan: 900 vlanpcp: 0 parent interface: em2
            groups: vlan
    [2.4.0-BETA][root@pfsense.local.lan]/root:

    You would most likely need to do something or that would not survive a reboot.  I would just add a new nic if I need two different mac on the wan side of pfsense.</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast>



  • @johnpoz:

    Can you not just set mac on a vlan like this?

    Check it yourself … you'll find that only one of those MACs (last or first, I don't remember) gets used on all VLANs.



  • @jahonix:

    @johnpoz:

    Can you not just set mac on a vlan like this?

    Check it yourself … you'll find that only one of those MACs (last or first, I don't remember) gets used on all VLANs.

    It's the last VLAN MAC address used.