Broadcast to unknown network broke the whole network

provels

So if you take another computer of your own and hard code the IP to something in the 128.0.20.0 network, the same thing happens? Or just this other computer? Possibly a virus/trojan?

patrick38

I didn't test yet, I will try this if there is no better idea.
But it was not the same computer each time (so probably not a virus either)

provels

Sounds like a loop. I don't know if this is possible, but if a laptop has both Wi-Fi and physical card enabled and both Wi-Fi and hard link are offered, will it loop?

Or maybe someone brought in a home switch and looped some ports.

akuma1x

@provels said in Broadcast to unknown network broke the whole network:

Sounds like a loop. I don't know if this is possible, but if a laptop has both Wi-Fi and physical card enabled and both Wi-Fi and hard link are offered, will it loop?

No, it doesn't do it like that. The laptop simply gets 2 IP addresses - 1 from the wired ethernet network, and 1 from the wifi network. It's called Multihoming.

It works just fine, at least on my networks. I'm not saying it's right, but simply that it doesn't typically cause any problems at the network level.

Jeff

patrick38

Hello,

It's not a loop.
Each time we solve the problem by unplugging the computer and rebooting switchs and Pfsense.

We just disabled Netbios in the DHCP options to see if it change anything.
Can IGMP Snooping in the switchs configuration help with this?

provels

Maybe a bum cable or port at the client end getting shorted?
Try the PC in another port.
Try another PC in same port.
?

patrick38

It's a different port each time :/

johnpoz

Lets see a sniff of this traffic please.. Upload pcap, if your getting 150MBps should be easy to get a few packets to post up..

Why do you think its broadcast, because it ends with 255? .255 as last octet doesn't mean its directed broadcast unless the clients mask is /24.. If if your network was 128.0.0.0/22, 128.0.2.255 would just be a host address.

128.0.2 is owned by

inetnum: 128.0.2.0 - 128.0.2.255
netname: HELPNET-FARMA-SA
descr: HELPNET FARMA SA
descr: Str. Malu Rosu, nr 4
descr: Balotesti, Ilfov, Romania
geoloc: 44.603193 26.074194
country: ro

patrick38

I just managed to reproduce the problem
If I put my computer on a random static IP outside the network (128.0.2.50/24) and plug it on any switch, it broke everything (switchs are blinking, no network for all other computers).

So, I can test some ideas and see if it's solved or not

johnpoz

And this computer was flooding the network with broadcast?

Lets see this broadcast please via a pcap.. So can load it into wireshark.

But how would have anything to do with pfsense?

Just set a pc to use that IP

thernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller #2
   Physical Address. . . . . . . . . : 00-13-3B-2F-67-62
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 128.0.2.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

No flooding..

Pfsense has no control or say in what a client puts on the network..