Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to check/enable antispoofing

    Scheduled Pinned Locked Moved Firewalling
    34 Posts 3 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      panicos
      last edited by panicos

      Hello,

      I have a virtual pfsense and i guess antispoofing is not working on it. It should, but i don t think it is working, because i have the following scenario:

      • host A "just a machine" connected to pfsense on vlan 40
      • host B "server" connected to pfsense with two interfaces: one interface vlan 35, another interface on vlan 100. Host B has default route on vlan 35 and no gateway/no route on vlan 100.

      When i connect (ssh, http, whatever) from host A to host B (using vlan 100 interface of host B), it works. This is asymmetric traffic: returning traffic expected on interface vlan 100 of the firewall goes actually through interface vlan 35.
      Image bellow explains the behaviour.
      asymmetric.JPG

      Why isn't the firewall blocking this traffic? Is the antispoofing off? I tried to follow the manual in an attempt of finding the configurations for antispoofing, but it is not clear where these can be found.

      I have no floating rules.

      Final question: how can i enable antispoofing on pfsense?

      Thx

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Yeah I don't think its working how you think its working.. You sure your not source natting the traffic there on your vlan 100 interface of your pfsense.

        Lets see the sniffs on this server of your traffic entering on vlan 100 interface, and then answer going out vlan 35 interface..

        Forget the asymmetrical... Your clients wouldn't accept the answer.. I wanted to talk to 10.100.100.7, sure not going to think that answer from 172.35.35.6 is valid..

        Your client itself would say F off!!!

        also want to see the sniff on this machine showing a syn going out to 100.x and getting syn,ack from 172.35 and thinking that is ok..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • P
          panicos
          last edited by panicos

          Hello Johnpoz,

          "Forget the asymmetrical... Your clients wouldn't accept the answer.. I wanted to talk to 10.100.100.7, sure not going to think that answer from 172.35.35.6 is valid.."

          The address does not change from 10.100.100.7 to 172.35.35.6; it just gets routed through 172.35.35.6 interface, but it does not hide behind its IP.

          Please see files attached with tcpdumps and wireshark capture on the source host.

          traffic.txt host_traffic.JPG

          The IPs in the captures are the real ones (they are a bit different from the drawing, but it is the same situation anyway).
          Let me know if i should add other details as well.

          Thx

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @panicos said in How to check/enable antispoofing:

            it just gets routed through 172.35.35.6 interface, but it does not hide behind its IP.

            Doesn't work that way - not possible!

            Dude your on VM interfaces and and a lagg (what are the members of the lag?) And what is your configuration of the vswitches your connecting too.. You doing VST, VGT or EST? You clearly have some tags going on there, but how are you doing the tags in the vswitches, and how do you have them connected via physical into this VM host that is running pfsense.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • P
              panicos
              last edited by

              @johnpoz said in How to check/enable antispoofing:

              oo.. You doing VST, VGT

              Well, dude, i don't really have a lot of knowledge with ESX, but i guess i am doing VST and EST. It goes like this:

              Pfsense is virtual, hosted on a server which is using vswitch (not vDswitch). This host is physically connected to a cisco switch with a trunk allowing all vlans (at both ends of the link). Further on, the physical server with the lagg is connected to the cisco switch as follows:
              -one physical interface (vlan 100)
              -4 physicall interfaces in LACP (vlan 35). So a portchannel made up of 4 physical interfaces.

              Is there a problem with the setup?

              "Doesn't work that way - not possible!" -> possible or not, it is what i see in the dumps, if i am not missing something. Have you seen the dumps?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Your missing the tags being added or not added, and you have a lagg interface, so what physical interface is running.

                What do you have set for your vswitches in esxi?

                This host is physically connected to a cisco switch with a trunk allowing all vlans (at both ends of the link).

                So this esxi box has 1 physical interface? Connected your vswitch, what is the vlan id set on the port group in the vswitch that your physical nic is connected too. If your doing VST, then your handling the tags... in the vswitch and they would be removed before sent to the VM... So why would you have pfsense interfaces set as vlans and not different vnics..

                So yeah you got something major messed up.. If your thinking traffic is routing out different physical interface of physical server with IP address X on it with IP Y as the source traffic - that is NOT going to happen..

                What you having going in is lack of tags and amounts to running multiple layer 3 networks on the same layer 2.. What your describing if the vlans were correctly isolated just can not happen.. So clearly you have something wrong with your vlan isolation.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • P
                  panicos
                  last edited by panicos

                  "Your missing the tags being added or not added, and you have a lagg interface, so what physical interface is running."
                  Not so sure about missing tags. I rally cannot find an issue with the layer 2, but maybe i miss something.
                  Lagg interface is a bundle of 4 interfaces. as i previously stated:
                  -one physical interface (vlan 100) -> this has nothing to do with the lagg below.
                  -4 physicall interfaces in LACP (vlan 35). So a portchannel made up of 4 physical interfaces. -> this has nothing to do with the interface vlan 100 above.

                  "What do you have set for your vswitches in esxi?" - one vswitch holding only the mgmt interface, no tagging there. Another vswitch holding a trunk all interface towards the firewall.

                  "So this esxi box has 1 physical interface?" - no, it has 6 physical interfaces, 2 of them independent, the rest of 4 bundled in a port channel.

                  "If your doing VST, then your handling the tags..."- the switch has trunk all interfaces regarding the firewall traffic. The firewall is handling the tagging. I can't see a problem here.
                  The switch is doing VST only for some portgroups leading to some virtual machines.

                  "Connected your vswitch, what is the vlan id set on the port group in the vswitch that your physical nic is connected too." - it is a trunk all

                  "So yeah you got something major messed up.." - are you sure?

                  "What you having going in is lack of tags and amounts to running multiple layer 3 networks on the same layer 2." - harsh diagnostic i would say; very apocalyptic.

                  I tried replicate the problem with other hosts as well, both physical and virtual and the situation is not the same. So it appears that only the server box is behaving like this.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    @panicos said in How to check/enable antispoofing:

                    "So yeah you got something major messed up.." - are you sure?

                    YEAH.. If your doing VST... Then you wouldn't have vlans on pfsense interfaces in the first place.. They would be just native vnics.. Only when you set your vswitches with VGT would pfsense ever see tags... And need vlan setup. If you want pfsense to see the tags then you would have to set vlan ID 4095 on the port group the vnics of pfsense are connected too, or esxi will be stripping tags..

                    Post up your networking config of your esxi...

                    Actually draw the actual physical connections and how you have your switch configured..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • P
                      panicos
                      last edited by

                      @johnpoz said in How to check/enable antispoofing:

                      If you want pfsense to see the tags then you would have to set vlan ID 4095 on the port group the vnics of pfsense are connected too, or esxi will be stripping tags..

                      It is configured like that.

                      "Post up your networking config of your esxi...
                      Actually draw the actual physical connections and how you have your switch configured.." - i will return later with these details.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        @panicos said in How to check/enable antispoofing:

                        It is configured like that.

                        Then your not doing VST..

                        This is VGT
                        https://kb.vmware.com/s/article/1004252

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • P
                          panicos
                          last edited by

                          @johnpoz said in How to check/enable antispoofing:

                          Then your not doing VST..

                          not on the link towards the firewall, no.
                          I am doing VST on other portgroups of the same vswitch, but leading to other virtual machines (which in this moment are not existing). so the only portgroups where i am doing VST, are not assigned to any VM in this moment.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            You need to lay this out... Because there is no possible why it works how you say its working... For starters a server doesn't say oh I got this connection from X to my IP Y, on interface Y.... Let me send it out the answer back on my Interface Z, but using IP address Y.. Doesn't Work that way....

                            If your sending out traffic from interface X, its going to have IP X on it be it a physical interface or a vlan interface...

                            So you have something borked in your isolation of vlans and or also your tagging..

                            With your tcpdumps you were doing - do them with the -e flag so you can actually see if traffic is tagged or not.. Also bump up the verbosity so can see the mac address of where that traffic was coming from and where it was set to go.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            P 1 Reply Last reply Reply Quote 0
                            • P
                              panicos
                              last edited by

                              @johnpoz said in How to check/enable antispoofing:

                              Doesn't Work that way....

                              i would same the same.

                              "With your tcpdumps you were doing - do them with the -e flag" - would've been my next step.

                              1 Reply Last reply Reply Quote 0
                              • P
                                panicos @johnpoz
                                last edited by panicos

                                @johnpoz

                                Ok, so here is the drawing. If it is not clear enough, let me know.
                                L2.jpg
                                Here are two captures made simultaneously on the FW2 which is the Pfsense and on the NAS physical server. The test consists in: open a http session from PC 10.40.40.4 vlan 40 towards the NAS mgmt interface vlan 100 10.100.100.6.
                                FW2_MERGE.pcap
                                NAS_MERGE.pcap
                                The captures were made on:
                                -NAS both mgmt and prod interface
                                -Pfsense interface prod vlan 35 and interface vlan 100

                                IPs:
                                10.100.100.6 -> NAS vlan 100 mgmt
                                10.40.40.4 -> PC vlan 40

                                MACs:
                                00:0c:29:c3:ed:8c - > PFsense interface (it has only one interface with multiple subinterfaces/vlans)
                                c8:cb:b8:c5:26:7d - > NAS interface mgmt vlan 100
                                00:1b:21:81:91:10 - > NAS interface prod vlan 25
                                40:8d:5c:55:70:50 - > PC interface vlan 40

                                Let me know dude, if i should add more details.

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @panicos
                                  last edited by johnpoz

                                  @panicos said in How to check/enable antispoofing:

                                  FW2 which is the Pfsense and on the NAS physical server.

                                  Ok confused... If FW2 is on the NAS.. Then how do you have your lagg setup there with both trunk all and access 35? They are the same physical port? Are they not if those are the interfaces connected to your host..

                                  Where is your vlan and interface setup for for this FW2, and what is FW1? How does vlan 40 even talk to vlan 100, from that drawing you can not tell that fw1 or fw2 even has an interface in vlan 100.. And is it tagged or untagged into pfsense?

                                  So these 4 physical ports you have set as access 35, and Trunk? Yeah you can not put a port in access and trunk mode at the same time.. traffic is either tagged or not tagged.. So the native untagged is 35? What is the pvid on these ports - assume 35.. So any untagged traffic coming off the server gets put in 35 vlan?

                                  So that drawing isn't making a lot of sense.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    panicos
                                    last edited by

                                    ok, then. in this case, thank you .

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      panicos
                                      last edited by

                                      Coming back to my first question, can anyone say how can i enable or disable antispoofing (reverse path check) on pfsense?

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by johnpoz

                                        @panicos said in How to check/enable antispoofing:

                                        disable antispoofing (reverse path check) on pfsense?

                                        There is no such thing. Do you mean allowing for asymmetrical traffic where pfsense sees syn,ack when there was not syn to create the state..

                                        How about you do this..Remove all your lagg setup, and do just physical paths and with actual isolation... Do you see the problem then?

                                        A server would never send traffic out a different interface with different source IP.. What OS do you think works that way?? How would you think it would even know to do that?

                                        Sure you can do it with generating packets and such, but no normal OS routing or stack would do such a thing..

                                        What are those mac address.. your sending to a HP mac c8:cb:b8, from vm mac... But your return is to intel 00:1b:21

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks
                                          last edited by bmeeks

                                          I believe the OP is talking about behaviors that a few firewalls have, Checkpoints in particular. Here is a link to a short description of the feature -- http://www.jay-miah.co.uk/configuring-anti-spoofing-on-a-checkpoint-firewall/.

                                          So far as I know, @johnpoz is correct that no such feature exists in pfSense. At least I know of no such directly configurable similar feature.

                                          I managed Checkpoint firewalls for several years and anti-spoofing was one of those really cool but really irritating features. It usually raised its head and blocked stuff somewhat invisibly when you were creating complex configurations such as VRRP.

                                          P 2 Replies Last reply Reply Quote 0
                                          • P
                                            panicos
                                            last edited by

                                            man, please, understand what i am saying and stop saying the otherwise.

                                            What OS do you think works that way?? --> for instance, FreeBSD works that way.

                                            The reverse patch check is a kernel setting. In some Linux distributions (like Ubuntu for instance) it is enabled by default. I don't know how is it in FreeBSD, but judging by its behaviour, it is not enabled.
                                            If you want to help me, please post relevant messages to what i am asking and stop seeing problems where there actually aren't.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.