Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate 1100 bridges LAN and WAN port during boot?

    Scheduled Pinned Locked Moved
    Official Netgate® Hardware
    5
    15
    945
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BM 1
      last edited by

      Ok, we are done testing.

      The test went as follows. A device in the secure LAN got a IP address from the public LAN (192.168.1.xyz). And we setup a ping from the modem/router to that device to see if was reachable through the Netgate. If not, the Netgate secures the LAN. If so, the Netgate allows traffic from public to secure LAN, which is a breach.
      At the start it is unreachable. During the (cold) reboot it starts pinging. When BSD loads the etherswitch driveris the destination becomes unreachable once again.

      From 172.24.254.20 icmp_seq=298 Destination Host Unreachable

      64 bytes from 172.24.254.200: icmp_seq=299 ttl=64 time=1002 ms
      64 bytes from 172.24.254.200: icmp_seq=300 ttl=64 time=2.50 ms
      64 bytes from 172.24.254.200: icmp_seq=301 ttl=64 time=0.358 ms
      64 bytes from 172.24.254.200: icmp_seq=303 ttl=64 time=0.290 ms
      64 bytes from 172.24.254.200: icmp_seq=304 ttl=64 time=0.363 ms
      64 bytes from 172.24.254.200: icmp_seq=305 ttl=64 time=0.400 ms
      64 bytes from 172.24.254.200: icmp_seq=306 ttl=64 time=0.414 ms
      64 bytes from 172.24.254.200: icmp_seq=307 ttl=64 time=0.628 ms
      64 bytes from 172.24.254.200: icmp_seq=308 ttl=64 time=0.296 ms
      64 bytes from 172.24.254.200: icmp_seq=309 ttl=64 time=0.341 ms
      64 bytes from 172.24.254.200: icmp_seq=310 ttl=64 time=0.395 ms
      64 bytes from 172.24.254.200: icmp_seq=311 ttl=64 time=0.656 ms
      64 bytes from 172.24.254.200: icmp_seq=312 ttl=64 time=0.420 ms
      64 bytes from 172.24.254.200: icmp_seq=313 ttl=64 time=0.400 ms
      64 bytes from 172.24.254.200: icmp_seq=314 ttl=64 time=0.492 ms
      64 bytes from 172.24.254.200: icmp_seq=315 ttl=64 time=0.431 ms
      64 bytes from 172.24.254.200: icmp_seq=316 ttl=64 time=0.422 ms
      64 bytes from 172.24.254.200: icmp_seq=317 ttl=64 time=0.396 ms
      From 172.24.254.20 icmp_seq=342 Destination Host Unreachable
      From 172.24.254.20 icmp_seq=343 Destination Host Unreachable
      From 172.24.254.20 icmp_seq=344 Destination Host Unreachable

      Both with the old and new firmware the switch ports are open during a cold boot. The time they allow traffic from public LAN to secure LAN is between 15-20 seconds...
      After the boot is complete and the configuration is loaded the ports are shut or it is no longer to pass traffic.
      It is save to say that during a cold reboot by default the switch ports are open and there is no security.
      With a power failure and all devices are powering up 15-20 seconds is enough to get a DCHP lease.
      In my opinion the switch ports should be down by default and after booting and the configuration is loaded they should be open or allow traffic.
      For a security device this is bit off.

      During a warm boot or reboot the switch holds it's configuration and there are no issues.

      I have also taken a look at the vlan separation suggestion. I am not sure want to change and how how to fix the current issue with the current hardware.
      Below you find the switch config.

      etherswitchcfg
      etherswitch0: VLAN mode: DOT1Q
      port0:
      pvid: 1
      state=8<FORWARDING>
      flags=1<CPUPORT>
      media: Ethernet 1000baseT <full-duplex>
      status: active
      port1:
      pvid: 4092
      state=8<FORWARDING>
      flags=0<>
      media: Ethernet autoselect (100baseTX <full-duplex>)
      status: active
      port2:
      pvid: 4091
      state=8<FORWARDING>
      flags=0<>
      media: Ethernet autoselect (none)
      status: no carrier
      port3:
      pvid: 4090
      state=8<FORWARDING>
      flags=0<>
      media: Ethernet autoselect (1000baseT <full-duplex>)
      status: active
      vlangroup0:
      vlan: 1
      members 0
      vlangroup1:
      vlan: 4090
      members 0t,3
      vlangroup2:
      vlan: 4091
      members 0t,2
      vlangroup3:
      vlan: 4092
      members 0t,1

      This is not a issue on one device we have several. Also it was tested on and is repreproducible on several devices.

      1 Reply Last reply Reply Quote 0
      • B
        BM 1 @stephenw10
        last edited by

        @stephenw10 Only during warm boots. During cold reboots the security device acts as a regular switch. And 15-20 seconds is not a very short time span.

        I hope my information helps.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          If you're seeing 15-20s then it doesn't have the new uboot values. They should be added at upgrade.
          You can check manually if you run printenv at the uboot prompt. You should see the 'switch_disable' entry.

          Let me test that....

          1 Reply Last reply Reply Quote 0
          • N
            NOCling
            last edited by

            Workaround:
            If you use a managed Switch behind, use Tagged only VLANs between.
            There is no tagged Frame in the Switch boot and brided time.

            Netgate 6100 & Netgate 2100

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              You can also check this from the pfSense command line like:

              [23.01-BETA][root@1100.stevew.lan]/root: u-boot-env-read /tmp/envs
[23.01-BETA][root@1100.stevew.lan]/root: cat /tmp/envs
�~Narch=armbaudrate=115200board=mvebu_armada-37xxboard_name=mvebu_armada-37xxbootargs=root=PARTUUID=15896539-02 rw rootwait console=ttyMV0,115200 earlycon=ar3700_uart,0xd0012000bootdelay=2console=console=ttyMV0,115200 earlycon=ar3700_uart,0xd0012000cpu=armv8eth1addr=00:51:82:11:22:01eth2addr=00:51:82:11:22:02eth3addr=00:51:82:11:22:03ethact=neta@30000ethaddr=f0:ad:4e:08:6b:dfethprime=eth0extra_params=pci=pcie_bus_safefdt_high=0xfffffffffffffffffdt_name=fdt.dtbfdtcontroladdr=3f62d490fileaddr=6f00000filesize=2c88gatewayip=10.4.50.254get_images=tftpboot $kernel_addr_r $image_name; tftpboot $fdt_addr_r $fdt_name; run get_ramfsget_ramfs=if test "${ramfs_name}" != "-"; then setenv ramdisk_addr_r 0x8000000; tftpboot $ramdisk_addr_r $ramfs_name; else setenv ramdisk_addr_r -;fihostname=marvellimage_name=Imageinitrd_addr=0xa00000initrd_size=0x2000000ipaddr=0.0.0.0memtest86=usb reset; load usb 0:1 0x7000000 efi/boot/bootaa64.efi; load usb 0:1 0x6f00000 armada-3720-netgate-1100.dtb; fdt addr 0x6f00000; bootefi 0x7000000 0x6f00000;netdev=eth0netmask=255.255.255.0openwrt=usb start; setenv bootargs "root=/dev/sda2 rw rootwait ${console}"; load usb 0:1 ${fdt_addr_r} armada-3720-espressobin-v7-emmc.dtb; load usb 0:1 ${kernel_addr} Image; booti ${kernel_addr} - ${fdt_addr_r}ramdisk_addr_r=0x8000000ramfs_name=-root=root=/dev/nfs rwrootpath=/srv/nfs/serial=NTG1846000004serverip=0.0.0.0set_bootargs=setenv bootargs $console $root ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev:none nfsroot=$serverip:$rootpath,tcp,v3 $extra_params $cpuidlesoc=mvebustderr=serial@12000stdin=serial@12000stdout=serial@12000vendor=Marvellbootcmd=run emmcboot; run scsiboot; run net;boot_file=efi/boot/bootaa64.efidtb_name=armada-3720-netgate-1100.dtbdtb_name_old=armada-3720-sg1100.dtbemmcboot=mmc rescan; setenv loaddev mmc; setenv loadunit 1; if fatls $loaddev $loadunit:2 /; then run pfsenseboot; fi;fdt_addr_r=0x6f00000kernel_addr=0x7000000kernel_addr_r=0x7000000loadaddr=0x7000000net=dhcp; tftp $fdt_addr_r $dtb_name; tftp $kernel_addr_r loader.efi; fdt addr $fdt_addr_r; fdt set / sn $serial; fdt set /soc/internal-regs/ethernet local-mac-address $ethaddr; bootefi $kernel_addr_r $fdt_addr_r;pfsenseboot=if fatls $loaddev $loadunit:2 /armada-3720-netgate-1100.dtb ; then setenv dtb $dtb_name; else setenv dtb $dtb_name_old; fi; load $loaddev $loadunit:1 $kernel_addr_r $boot_file; load $loaddev $loadunit:2 $fdt_addr_r $dtb; fdt addr $fdt_addr_r; fdt set / sn $serial; fdt set /soc/internal-regs/ethernet local-mac-address $ethaddr; bootefi $kernel_addr_r $fdt_addr_r;preboot=run switch_disable;recovery=run usbboot;scsiboot=scsi reset; setenv loaddev scsi; setenv loadunit 0; if fatls $loaddev $loadunit:2 /; then run pfsenseboot; fi;switch_disable=switch phy_write 1 0 0 0xffff; switch phy_write 2 0 0 0xffff; echo "Switch Ports Disabled";usbboot=usb reset; setenv loaddev usb; setenv loadunit 0; if fatls $loaddev $loadunit:2 /; then run pfsenseboot; fi;usbrecovery=mmc dev 1; mmc erase 0 400000; run usbboot;

              You are looking for the envs:

              preboot=run switch_disable
switch_disable=switch phy_write 1 0 0 0xffff; switch phy_write 2 0 0 0xffff; echo "Switch Ports Disabled"

              Steve

              R B 2 Replies Last reply Reply Quote 1
              • R
                rcoleman-netgate Netgate @stephenw10
                last edited by rcoleman-netgate

                @stephenw10 said in Netgate 1100 bridges LAN and WAN port during boot?:

                u-boot-env-read /tmp/envs
                cat /tmp/envs

                Wait, what?!

                Learn something new every day...

                Ryan
                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                Requesting firmware for your Netgate device? https://go.netgate.com
                Switching: Mikrotik, Netgear, Extreme
                Wireless: Aruba, Ubiquiti

                1 Reply Last reply Reply Quote 1
                • B
                  BM 1 @stephenw10
                  last edited by

                  @stephenw10 Hi I have checked but indeed its missing the switch_disable env. How can I add these to u-boot environment?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    There are several ways you can add them. They are added automatically when uboot is updated but if you are already running the latest uboot version that would not have happened. The easiest way is to force uboot to be rewritten which will then also run the env updates:

                    [23.01-BETA][root@1100.stevew.lan]/root: /usr/local/share/u-boot/1100/u-boot-update.sh -f
=> U-Boot is already at the latest version.  Continuing with the installation...
=> Updating the Netgate 1100 U-boot
==> Reading current settings
==> Updating the U-boot image (this may take a few minutes)
64+0 records in
64+0 records out
4194304 bytes transferred in 55.425440 secs (75675 bytes/sec)
==> Updating settings
==> Restoring settings
writing u-boot env(1)... done

                    After which you should see those envs.

                    You could also manually add them at the uboot prompt or running the uboot-env read/update/write commands if necessary.

                    Steve

                    B 1 Reply Last reply Reply Quote 2
                    • B
                      BM 1 @stephenw10
                      last edited by

                      @stephenw10 Thanks!

                      With your rewrite suggestion we were able to modify the uboot.

                      We are running the latest version and it did happen. It is fixed now.
                      When we run our test procedure we see a switch disable message. And no pings are passing through the device so it works as it should.

                      Many thanks for the helping hand!

                      1 Reply Last reply Reply Quote 1
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Excellent, good to hear! 👍

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post