Broadcast to unknown network broke the whole network

patrick38

Hello,

We have an issue for a few weeks we have no idea how to solve, I would like to have your help about this.

We have a pfSense in version 2.4.5-RELEASE-p1.

Let's say we have two local network (192.168.1.0/24 and 192.168.2.0/24).
This morning, someone plugs a computer coming from an external network (128.0.2.0/24).
The computer didn't have internet, but on the Pfsense we could see something like 150MB/s traffic coming from this computer, with a broadcast to 128.0.2.255 (UDP / Netbios)

It's not the first time we have this, whatever the outside network it comes from, it happens regularly

Our firewall rules are pretty strict, but I don't know if broadcast are blocked.
When we have this issue, all our switchs are blinking simultaneously and fast.

I don't think we changed anything, or at least not voluntarily, and it happens for something like 3 months (never hard this problem in 10 years before that)

Have you any idea how we can solve this? Or at least where to look at?

Let me know if you need more information.

Thanks

provels

So if you take another computer of your own and hard code the IP to something in the 128.0.20.0 network, the same thing happens? Or just this other computer? Possibly a virus/trojan?

patrick38

I didn't test yet, I will try this if there is no better idea.
But it was not the same computer each time (so probably not a virus either)

provels

Sounds like a loop. I don't know if this is possible, but if a laptop has both Wi-Fi and physical card enabled and both Wi-Fi and hard link are offered, will it loop?

Or maybe someone brought in a home switch and looped some ports.

akuma1x

@provels said in Broadcast to unknown network broke the whole network:

Sounds like a loop. I don't know if this is possible, but if a laptop has both Wi-Fi and physical card enabled and both Wi-Fi and hard link are offered, will it loop?

No, it doesn't do it like that. The laptop simply gets 2 IP addresses - 1 from the wired ethernet network, and 1 from the wifi network. It's called Multihoming.

It works just fine, at least on my networks. I'm not saying it's right, but simply that it doesn't typically cause any problems at the network level.

Jeff

patrick38

Hello,

It's not a loop.
Each time we solve the problem by unplugging the computer and rebooting switchs and Pfsense.

We just disabled Netbios in the DHCP options to see if it change anything.
Can IGMP Snooping in the switchs configuration help with this?

provels

Maybe a bum cable or port at the client end getting shorted?
Try the PC in another port.
Try another PC in same port.
?

patrick38

It's a different port each time :/

johnpoz

Lets see a sniff of this traffic please.. Upload pcap, if your getting 150MBps should be easy to get a few packets to post up..

Why do you think its broadcast, because it ends with 255? .255 as last octet doesn't mean its directed broadcast unless the clients mask is /24.. If if your network was 128.0.0.0/22, 128.0.2.255 would just be a host address.

128.0.2 is owned by

inetnum: 128.0.2.0 - 128.0.2.255
netname: HELPNET-FARMA-SA
descr: HELPNET FARMA SA
descr: Str. Malu Rosu, nr 4
descr: Balotesti, Ilfov, Romania
geoloc: 44.603193 26.074194
country: ro

patrick38

I just managed to reproduce the problem
If I put my computer on a random static IP outside the network (128.0.2.50/24) and plug it on any switch, it broke everything (switchs are blinking, no network for all other computers).

So, I can test some ideas and see if it's solved or not

johnpoz

And this computer was flooding the network with broadcast?

Lets see this broadcast please via a pcap.. So can load it into wireshark.

But how would have anything to do with pfsense?

Just set a pc to use that IP

thernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller #2
   Physical Address. . . . . . . . . : 00-13-3B-2F-67-62
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 128.0.2.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

No flooding..

Pfsense has no control or say in what a client puts on the network..