Udp broadcast flood that kill my network



  • Hello,

    I'm new to pfSense. I have a configuration that have an issue:
    em0 and em1 connected to the same L2

    If I apply these rule (generated by pfSense interface):
    pass in quick on em0 route-to (em0 172.16.22.99) inet all flags S/SA keep state
    pass in quick on em0 inet all flags S/SA keep state

    my network is killed by broadcast UDP packets forged by pfSense and destinated to the whole network…  :o

    I read thise topic https://forum.pfsense.org/index.php?topic=57492.0 that was very similar but I can't find a solution.

    Can someone explain me what is happening and how to prevent this issue?

    thanks!

    Matteo



  • I may be reading this incorrectly, but if both interfaces go to the same Layer2 and you setup forwarding, didn't you just create a loop?



  • "em0 and em1 connected to the same L2"

    I agree with Harvy. That is your issue. It's WAN AND LAN right? If you connect those two to the same thing they will both DHCP an IP from the L2 but your pfsense network will not be able to use them because they will both be WANS. You need one LAN to go out to the internet.

    so for instance, You probably have something like this which you won't be able to see of course because you have no LAN.

    WAN

    192.168.55.73
    192.168.55.74

    LAN

    nothing is there so internet access is not possible.

    What you need is this.

    1 WAN connected to L2 from the pfsense box. Then you need 1 LAN connected from your pfsense box to your computer that needs to access the internet.  Then for wireless if you want other laptops, phones or whatever you have to connect, your best bet would be a wireless access point. I could be wrong but I believe this requires another ethernet card or in other words it would be 3 ethernet connections. 1 WAN for L2, 1 LAN for PC, 1 LAN for the wireless access point.

    Then this will happen.

    Your WAN will DHCP 1 IP address from the L2.
    Your LAN 1 and LAN 2 will DHCP 2 different IP addresses from the pfsense box that will be within the subnet that you have chosen.



  • yes, it seems a loop or something similar.

    But I can't explain tecnically this.

    I don't have any bridge configured.

    I'm a free man and I can connect multiple interface to the same L2 without causing a loop.

    why a pf rule does "copy"packets to/from interfaces and create this behaviour?

    I'm not the only person that reported this issue.

    If someone can clarify this…

    Thanks

    Matteo



  • What language do you speak? If it's not english try another segment of this forum that would have your language.



  • My friend, I apologize for my poor English but I can say that you are poor of technical skill in this topic.

    Bridging is one thing (http://en.wikipedia.org/wiki/Bridging_(networking))
    Forwarding is another (http://en.wikipedia.org/wiki/Packet_forwarding)

    These things are not to be confused.

    I'm not alone as I reported another post on this forum that have my same issue. If you have doubt you can read also that post.

    If you cannot help please shut.

    Have a nice day, my friend

    M.



  • "If you cannot help please shut."

    I do hope that someone will tolerate your rudeness.  In the meantime you could read and search through this page to find the answer on your own.

    https://doc.pfsense.org/index.php/Special:Categories

    You could also become a Gold member to have access to the guide for the latest version of Pfsense. Other than that it might be wise to be more cordial and perhaps someone will come in to help.

    Have a good day:)



  • I don't know the firewall rules like "pass in quick on em0 …", but if you have both interfaces on the same broadcast domain and you quickly forward any packet from the broadcast domain back to the same broadcast domain, you have a loop.

    Maybe you should link a diagram.



  • Hi Harvy66 exactly, these rules are doing something that is not so evident.

    These rules are strictly applied to em0 so why something happen that is related to em1?

    Also "forwarding packets" in networking terms does not mean "read UDP broadcast packet, duplicate them and forge with your own mac-address, inject on the network". This behavior seems really to a bridge issue.  :o

    If you configure two interfaces on the same L2 network, for example in Linux or Cisco IOS, you are not able to kill your network with some simple firewall rules  :o This is the power of FreeBSD ?  ???

    Probably only who have a good knowledge of PF internals can understand this… I read quickly the documentation and I don't have much experience on PF. Also I found on PF other strangeness (I wrote another post: https://forum.pfsense.org/index.php?topic=79637)

    M.

    p.s.: attached the network diagram, it's very simple

    ![Untitled Diagram (1).png](/public/imported_attachments/1/Untitled Diagram (1).png)
    ![Untitled Diagram (1).png_thumb](/public/imported_attachments/1/Untitled Diagram (1).png_thumb)



  • "Forwarding", as a network term, is about routing between two different broadcast domains or subnets. It is generally bad practice to have multiple subnets in the same broadcast domain and it's bad practice to effectively plug your WAN port into your LAN port.

    You're not following convention.

    1. Packet received on Broadcast Domain 1
    2. Packet forwarded to Broadcast Domain 1
    3. Goto 1

    Sounds an awful a lot like a loop to me.



  • Is this related to what your L2 is supposed to do? But it doesn't work on Pfsense?

    http://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/116266-configure-l2-00.html



  • @Cmellons:

    Is this related to what your L2 is supposed to do? But it doesn't work on Pfsense?

    http://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/116266-configure-l2-00.html

    My scenario was produced accidentally for testing purpose, it's a POC, clearly does not have sense but I'm worried by this.

    I want to understand why a simple pass PF rule (that literally say "accept traffic from em0 interface") can kill the whole network if there is also another nic em1 interface connected to the same L2. This not have sense technically.

    Thanks,

    M.



  • Is the L2 gateway the same as the pfsense gateway?

    Such as L2 gateway = 192.168.1.1 and Pfsense gateway = 192.168.1.1

    If it is then I can see why there would be difficulties. Like all hardware firewalls, Pfsense works best on the perimeter by directly recieving an ip address by way of DHCP from the ISP.