Strange issue with VLAN: modified source IP

brineberry · Dec 5, 2013, 1:07 PM

Hello. I am having a very strange issue show up now that I have configured an Apache web server on a VLAN.

The server's IP is 192.168.100.3. VLAN tagging is working propeprerly, as I can access the server using http, ssh, and ping.

The server works fine, but when I look at the http access logs, all requests show up as coming from 192.168.100.1, i.e., the VLAN subnet's first IP address (which is the address used to access pfSense on that subnet). I can confirm this using tcpdump: all packets are coming from that IP, regardless of what IP address they are really coming from.

What is strange is that if I access the same web server on other ports, the source IP address for each packet is correct. I tried both ping and ssh, and checked using tcpdump: the source IP for the packets were the correct, "real" IPs.

I looked at the traffic using tcpdump on the pfSense box on the VLAN interface and realized that the "change" in the IP address is happening there (not on the web server)! Packets come in on one interface with the right source and destination addresses, and then leave on the VLAN interface with the source IP address changed to 192.168.100.1. Packets from the server back to the client come on the VLAN interface with destination IP 192.168.100.1 and then somehow find their way to the client on the client's interface (be it WAN or some other internal interface).

It's as if pfSense were changing the source IP address of the packets that are routed to the VLAN, but only http packets, not the rest!

This is pretty serious, since having all accesses show up as cominng from the same, internal, address completely invalidates the web server logs.

Any ideas? Thanks!!

RoadGuy · Dec 5, 2013, 7:37 PM

Since I was just playing with what I think is a similar situation with Snort I will make a suggestion.

I do not know about ping and ssh and my VLAN knowledge at this point is negligible.
I would guess you are accessing server from the same VLAN?

The log traffic that all seems to originate from your xxx.xxx.xxx.1(VLAN interface) address is happening due to NAT.
Packets entering VLAN heading for server come from xxx.xxx.xxx.1(VLAN interface) as far as server is concerned and vice versa.
Since your server is on a VLAN, any traffic that does not come from within VLAN will be NATranslated.
The "change" is just normal NATranslation for the VLAN subnet.
So at a guess if you look at logs for the VLAN interface traffic you will see correct src and dst.

Far from an expert on this but figured I would share anyway

Example:
If I sit on the WAN and look at outbound traffic it all originates from the xxx.xxx.xxx.1(WAN interface) address. Post NAT
If I sit on the LAN and look at the same traffic I see correct source and destination IP. Pre NAT

brineberry · Dec 6, 2013, 2:49 AM

That is exactly what is going on… except it happens even if I don't have NAT turned on for that interface. Or if, for instance, I try to access the server from one of the other internal LANs, for which no NAT intervenes and pfSense should just be routing packets from one interface to another. The source IP is modified nonetheless.

cmb · Dec 6, 2013, 3:50 AM

Your outbound NAT is either manually configured to do that, or you wrongly have a gateway specified under that VLAN interface (Interface>VLANname) in which case the automatic outbound NAT will do that.