1. Home
  2. pfSense® Software
  3. Routing and Multi WAN
  4. Broadcast to unknown network broke the whole network

Broadcast to unknown network broke the whole network

  • P

    Hello,

    We have an issue for a few weeks we have no idea how to solve, I would like to have your help about this.

    We have a pfSense in version 2.4.5-RELEASE-p1.

    Let's say we have two local network (192.168.1.0/24 and 192.168.2.0/24).
    This morning, someone plugs a computer coming from an external network (128.0.2.0/24).
    The computer didn't have internet, but on the Pfsense we could see something like 150MB/s traffic coming from this computer, with a broadcast to 128.0.2.255 (UDP / Netbios)

    It's not the first time we have this, whatever the outside network it comes from, it happens regularly

    Our firewall rules are pretty strict, but I don't know if broadcast are blocked.
    When we have this issue, all our switchs are blinking simultaneously and fast.

    I don't think we changed anything, or at least not voluntarily, and it happens for something like 3 months (never hard this problem in 10 years before that)

    Have you any idea how we can solve this? Or at least where to look at?

    Let me know if you need more information.

    Thanks

    0
  • provels

    So if you take another computer of your own and hard code the IP to something in the 128.0.20.0 network, the same thing happens? Or just this other computer? Possibly a virus/trojan?

    0
  • P

    I didn't test yet, I will try this if there is no better idea.
    But it was not the same computer each time (so probably not a virus either)

    0
  • provels

    Sounds like a loop. I don't know if this is possible, but if a laptop has both Wi-Fi and physical card enabled and both Wi-Fi and hard link are offered, will it loop?

    Or maybe someone brought in a home switch and looped some ports.

    0 A 1 Reply
  • A

    @provels said in Broadcast to unknown network broke the whole network:

    Sounds like a loop. I don't know if this is possible, but if a laptop has both Wi-Fi and physical card enabled and both Wi-Fi and hard link are offered, will it loop?

    No, it doesn't do it like that. The laptop simply gets 2 IP addresses - 1 from the wired ethernet network, and 1 from the wifi network. It's called Multihoming.

    It works just fine, at least on my networks. I'm not saying it's right, but simply that it doesn't typically cause any problems at the network level.

    Jeff

    1
  • P

    Hello,

    It's not a loop.
    Each time we solve the problem by unplugging the computer and rebooting switchs and Pfsense.

    We just disabled Netbios in the DHCP options to see if it change anything.
    Can IGMP Snooping in the switchs configuration help with this?

    0
  • provels

    Maybe a bum cable or port at the client end getting shorted?
    Try the PC in another port.
    Try another PC in same port.
    ?

    0
  • P

    It's a different port each time :/

    0
  • johnpoz
    LAYER 8 Global Moderator

    Lets see a sniff of this traffic please.. Upload pcap, if your getting 150MBps should be easy to get a few packets to post up..

    Why do you think its broadcast, because it ends with 255? .255 as last octet doesn't mean its directed broadcast unless the clients mask is /24.. If if your network was 128.0.0.0/22, 128.0.2.255 would just be a host address.

    128.0.2 is owned by

    inetnum: 128.0.2.0 - 128.0.2.255
    netname: HELPNET-FARMA-SA
    descr: HELPNET FARMA SA
    descr: Str. Malu Rosu, nr 4
    descr: Balotesti, Ilfov, Romania
    geoloc: 44.603193 26.074194
    country: ro

    0
  • P

    I just managed to reproduce the problem
    If I put my computer on a random static IP outside the network (128.0.2.50/24) and plug it on any switch, it broke everything (switchs are blinking, no network for all other computers).

    So, I can test some ideas and see if it's solved or not

    0
  • johnpoz
    LAYER 8 Global Moderator

    And this computer was flooding the network with broadcast?

    Lets see this broadcast please via a pcap.. So can load it into wireshark.

    But how would have anything to do with pfsense?

    Just set a pc to use that IP

    thernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller #2
   Physical Address. . . . . . . . . : 00-13-3B-2F-67-62
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 128.0.2.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

    No flooding..

    Pfsense has no control or say in what a client puts on the network..

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy