Spoofing inside a VLAN



  • I have pfsense 2.01 running on an atom based system with 2 NICs

    On the 100 Mbit/s NIC I defined the VLANs for the WAN-connections and on the gigabit-NIC I defined the VLANs for the LAN.
    All could be done on 1 NIC, but I thought it would be better for throughput and clarity to at least make a division between LAN and WAN.

    I have 2 DSL-connections with provider 1 using DHCP and another using PPPoE for the 2nd provider.

    For a while I've been using a NAT-router between 1 of the DHCP-lines.
    Today I decided to replace this NAT-router with a DSL-modem in bridge so I can obtain a WAN-address.

    Because it's the same provider I need to use a different MAC-address.
    I therefore spoofed the MAC-address for VLAN13….
    It then succesfully received an IP, but no traffic was able to travel....

    Using a wireless access point I was able to tap into VLAN13 with a laptop and I could easily obtain a WAN-connection with it....
    After I replaced the bridged modem with the NAT-router and turned off spoofing of the MAC I managed to regain the connection with that

    I would like to know if I'm trying to do something that isn't possible....



  • there are some issues when using 2 wan connections with the same gateway ….. not sure if your problem is related but it could be.

    there are lots of posts about this



  • As far as I know there are/were poblems when spoofing the MAC on..hmm..unsure…PPPoE or DHCP interface.
    If it is possible for you, cann you spoof the MAC on the other VLAN interface and try again ?

    The problem heper mention should be on ypur mind, too. If bothe connections are using the same Gateway than this could be a problem, too.



  • It's previously not worked to spoof MAC addresses on VLANs, and hence they're forced to the MAC of the parent interface. You can comment out the code under line 2718 in /etc/inc/interfaces.inc (part below "All vlans need to spoof their parent …" with the ifconfig) and see if that's still the case.



  • @heper,
    No, these 2 connections are on a different /24 subnet, one is xx.xx.179.117 with xx.xx.179.1 as its gateway and the other is xx.xx.180.164 with xx.xx.180.1 as gateway.

    We're considering a 3rd connection from that same ISP, but there's a big chance we get an IP in the xx.xx.179.0/24 subnet.
    Maybe I should go for another ISP.

    At this moment I'm running the xx.xx.180.164 connection behind a NAT-router. I can spoof the MAC again…

    I can ask the ISP to turn the xx.xx.179.117 into a static IP and let the other do DHCP with its original MAC.
    Another solution would be to use the NIC I normaly use for LAN for VLAN13 and I will have a different MAC.

    Can it be a problem with the NIC or its driver?



  • Follow my above instructions and see if it's still an issue. You used to have to put the NIC into promiscuous mode for that to function at all, and that's less than desirable generally.



  • This part is already uncommented…
    Do you mean it should work then?

                    /*
                     * All vlans need to spoof their parent mac address, too.  see
                     * ticket #1514: http://cvstrac.pfsense.com/tktview?tn=1514,33
                     */
                    if (is_array($config['vlans']['vlan'])) {
                            foreach ($config['vlans']['vlan'] as $vlan) {
                                    if ($vlan['if'] == $realhwif)
                                            mwexec("/sbin/ifconfig " . escapeshellarg($vlan['vlanif']) .
                                                    " link " . escapeshellarg($wancfg['spoofmac']));
                            }
                    }
    
    

    @cmb:

    You used to have to put the NIC into promiscuous mode for that to function at all, and that's less than desirable generally.

    Both NICs go directly into an 8-port switch that is distributing the VLANs. Will such a setup not protect the NIC from undesirable effects? What are these effects?

    BTW….

    If I would configure a 2nd pfsense using (of course) different NICs with pfsync wouldn't I need MAC-spoofing as well?
    Or do I need an ISP that accepts 2 MAC-addresses for a certain IP.

    Another question.....

    If I get a 3rd connection from this ISP it will most likely be in the xx.xx.179.0/24 subnet. Will I get problems then?
    Some routers are able to get an IP using DHCP with a /32 netmask...
    The gateway will then be outside their netmask scope, but some routers have no problems with this....
    It's a good way of telling the router engine that all other IP's in that /24 subnet need to be accessed using the gateway.



  • @cmb:

    Follow my above instructions and see if it's still an issue. You used to have to put the NIC into promiscuous mode for that to function at all, and that's less than desirable generally.

    uncomment what?
    code is already uncommented…



  • @cmb:

    It's previously not worked to spoof MAC addresses on VLANs, and hence they're forced to the MAC of the parent interface. You can comment out the code under line 2718 in /etc/inc/interfaces.inc (part below "All vlans need to spoof their parent …" with the ifconfig) and see if that's still the case.

    @frater:

    uncomment what?
    code is already uncommented…

    comment, not uncomment.



  • Sorry, you did write that….

    I've commented out the part like this....

    
                    /*
                    if (is_array($config['vlans']['vlan'])) {
                            foreach ($config['vlans']['vlan'] as $vlan) {
                                    if ($vlan['if'] == $realhwif)
                                            mwexec("/sbin/ifconfig " . escapeshellarg($vlan['vlanif']) .
                                                    " link " . escapeshellarg($wancfg['spoofmac']));
                            }
                    }
                    */
    
    

    Currently I'm using a NAT-router on that line, but that would still enable me to test it…

    After changing the MAC-address and bringing the interface down and then up again, I'm not getting an IP through DHCP, let alone ping the gateway (10.100.100.2).....

    I have a workaround for it, because I negotiated with the ISP and they reconfigured their ATM-router and configured the other line static.
    This means I can use the parent-MAC for this DHCP line (which is on an ATM-router they can't reconfigure... meaning it HAS to do DHCP)

    If I can't spoof MACs inside the VLANs it also means I can't have a 2nd pfsense machine that takes over....

    Is this a hardware/driver issue?
    Is it solved after I put it in promiscuous mode?
    How can I put it into promiscuous mode?
    What are the consequences of putting it into promiscuous mode?
    Will the switch that's behind the 2 NICs not protect the NICs?



  • If it doesn't work after doing that, then just run "ifconfig <interface>promisc" replacing <interface>with the parent VLAN interface (em0 or what have you) and see if that works.</interface></interface>



  • Yes, that works….

    Could you enhance the pfsense webif to enable / disable promiscuous mode?
    Otherwise this setting will not go inside pfsense's xml-file........

    What is the most elegant to ensure promiscuous mode is enabled after startup until that feature is added????

    PS...

    All of a sudden my parent interface got a 89.250.176.46/8 according to ifconfig.
    This is an IP of our ISP, but not in their client range, but in their own...
    Inside a VLAN we have a modem in bridge with their ATM-interface....
    Is it because they have some DHCP-server

    
    [2.0.1-RELEASE][root@pfsense]/root(26): ifconfig dc0
    dc0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=80008 <vlan_mtu,linkstate>ether 00:50:bf:9f:df:77
            inet6 fe80::250:bfff:fe9f:df77%dc0 prefixlen 64 scopeid 0x2
            inet 89.250.176.44 netmask 0xff000000 broadcast 89.255.255.255
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    [2.0.1-RELEASE][root@pfsense]/root(27): reboot</full-duplex></performnud,accept_rtadv></vlan_mtu,linkstate></up,broadcast,running,simplex,multicast> 
    

    after reboot

    [2.0.1-RELEASE][root@pfsense]/root(6): ifconfig dc0
    dc0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=80008 <vlan_mtu,linkstate>ether 00:50:bf:9f:df:77
            inet6 fe80::250:bfff:fe9f:df77%dc0 prefixlen 64 scopeid 0x2
            inet 10.250.250.1 netmask 0xfffffff0 broadcast 10.250.250.15
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active</full-duplex></performnud,accept_rtadv></vlan_mtu,linkstate></up,broadcast,running,simplex,multicast> 
    


  • It turns out pfsense with only 2 NICs is limited with regard to my implementation.

    Now I can't spoof my MAC for a certain VLAN interface without putting my parent interface in promiscuous mode, I can't use anymore DHCP-lines from that same ISP.

    Is this only on my hardware?
    Does anyone for a fact know it should be working?
    Anyone knows how to get it working again?

    Will there be a fix in the webif?


Locked