Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Strange issue with VLAN: modified source IP

    Routing and Multi WAN
    3
    4
    959
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brineberry last edited by

      Hello. I am having a very strange issue show up now that I have configured an Apache web server on a VLAN.

      The server's IP is 192.168.100.3. VLAN tagging is working propeprerly, as I can access the server using http, ssh, and ping.

      The server works fine, but when I look at the http access logs, all requests show up as coming from 192.168.100.1, i.e., the VLAN subnet's first IP address (which is the address used to access pfSense on that subnet). I can confirm this using tcpdump: all packets are coming from that IP, regardless of what IP address they are really coming from.

      What is strange is that if I access the same web server on other ports, the source IP address for each packet is correct. I tried both ping and ssh, and checked using tcpdump: the source IP for the packets were the correct, "real" IPs.

      I looked at the traffic using tcpdump on the pfSense box on the VLAN interface and realized that the "change" in the IP address is happening there (not on the web server)! Packets come in on one interface with the right source and destination addresses, and then leave on the VLAN interface with the source IP address changed to 192.168.100.1. Packets from the server back to the client come on the VLAN interface with destination IP 192.168.100.1 and then somehow find their way to the client on the client's interface (be it WAN or some other internal interface).

      It's as if pfSense were changing the source IP address of the packets that are routed to the VLAN, but only http packets, not the rest!

      This is pretty serious, since having all accesses show up as cominng from the same, internal, address completely invalidates the web server logs.

      Any ideas? Thanks!!

      1 Reply Last reply Reply Quote 0
      • R
        RoadGuy last edited by

        Since I was just playing with what I think is a similar situation with Snort I will make a suggestion.

        I do not know about ping and ssh and my VLAN knowledge at this point is negligible.
        I would guess you are accessing server from the same VLAN?

        The log traffic that all seems to originate from your xxx.xxx.xxx.1(VLAN interface) address is happening due to NAT.
        Packets entering VLAN heading for server come from xxx.xxx.xxx.1(VLAN interface) as far as server is concerned and vice versa.
        Since your server is on a VLAN, any traffic that does not come from within VLAN will be NATranslated.
        The "change" is just normal NATranslation for the VLAN subnet.
        So at a guess if you look at logs for the VLAN interface traffic you will see correct src and dst.

        Far from an expert on this but figured I would share anyway

        Example:
        If I sit on the WAN and look at outbound traffic it all originates from the xxx.xxx.xxx.1(WAN interface) address. Post NAT
        If I sit on the LAN and look at the same traffic I see correct source and destination IP. Pre NAT

        Netgate FW-7541, 4GB DDR3, 64GB SSD
        Intel(R) Atom(TM) CPU D525 @ 1.80GHz
        2.1p1-RELEASE (amd64)
        FreeBSD 8.3-RELEASE-p12
        Single WAN, Multi LAN, with Snort

        "Ignorance is not always a curable affliction."
        What the heck am I going to do with 64GB's???

        1 Reply Last reply Reply Quote 0
        • B
          brineberry last edited by

          That is exactly what is going on… except it happens even if I don't have NAT turned on for that interface. Or if, for instance, I try to access the server from one of the other internal LANs, for which no NAT intervenes and pfSense should just be routing packets from one interface to another. The source IP is modified nonetheless.

          1 Reply Last reply Reply Quote 0
          • C
            cmb last edited by

            Your outbound NAT is either manually configured to do that, or you wrongly have a gateway specified under that VLAN interface (Interface>VLANname) in which case the automatic outbound NAT will do that.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post