vlan vulnerability or inevitability?
-
Hello!
Here is 2.4.4-RELEASE-p1 on board.Four native gigabit interfaces on supermicro board and one pci mellanox-connectx-2-10gb-sfp .
Let's look to a problem by 10G interface:
it is created multiple vlans on mlxen0 : mlxen0.141 mlxen0.142 mlxen0.143 mlxen0.144 mlxen0.921 .
Assigned interface on mlxen0.921 with static ipv4 is up and working.
Also interfaces mlxen0.141 mlxen0.142 mlxen0.143 mlxen0.144 is assigned but have not ip settings at all and down.
So pfsense notices in log messages incoming broadcast and multicast on mlxen0.141 mlxen0.144:filterlog: 9,,,1000000103,mlxen0.144,match,block,in,4,0x0,,128,14134,0,none,17,udp,68,172.20.15.1,255.255.255.255,49666,1947,48 f81c0de1-6273-11e9-b2cf-000c295486b2 action block data_length 48 dest_ip 255.255.255.255 dest_port 1947 direction in facility local0 flags none id 14134 iface ---> mlxen0.144 <--- ip_ver 4 length 68 level 6 message filterlog: 9,,,1000000103,mlxen0.144,match,block,in,4,0x0,,128,14134,0,none,17,udp,68,172.20.15.1,255.255.255.255,49666,1947,48 offset 0 pfs_app filterlog proto udp proto_id 17 reason match rule 9 source pfs.local src_ip 172.20.15.1 src_port 49666 timestamp 2019-04-19T07:21:45.000Z tos 0x0 tracker 1000000103 ttl 128
while ifconfig output:
ifconfig mlxen0.144: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:02:c9:56:51:b2 inet6 fe80::202:c9ff:fe56:51b2%mlxen0.144 prefixlen 64 scopeid 0x14 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (10Gbase-SR <full-duplex,rxpause,txpause>) status: active vlan: 144 vlanpcp: 0 parent interface: mlxen0 groups: vlan
Status is active but in pfsense gui interface is disabled. So, what that disable checkbox doing?