Filtering bridge and tcpdump on other hosts



  • Hi,

    today I recieved a complaint from one of the customers of our colocation provider.  He thought our server was hacked and sending a lot of traffic to his server.

    however further investigation shows that he sees the traffic that is send to one of our ips on the lan side of the filtering bridge.  example we have streaming on port 8001 and he sees in his tcpdump … my ip at home > ip in colocation center poort 8000.

    Our provider uses a switch and the network is set up as followed:
    network provider/24 -> WAN pfsense (filtering bridge) LAN -> our internal switch -> our servers with public ipaddress of our network provider /24

    So the client that is complaining is on the network provider/24 part.

    Can this be caused by pfsense, maybe misconfiguration or is something else going on on the network of our provider.  i have also activated bantwithd and ntop on the pfsense and i also see traffic for other hosts on the netwerk.  when i use tcpdump without parameters in the shell of pfsense then i don't see any abnormal traffic passing by.

    I really need to know if pfsense could cause this, or that this is a misconfiguration on the side of my provider or that this is normal behaviour.

    Ps i followed these directions to set up the filtering bridge: http://pfsense.trendchiller.com/transparent_firewall.pdf
    thanks in advance.



  • It is a transparent bridge. Or in poor words it is a piece of copper to the network.

    Only your switch is forwarding wrong traffic or the provider is doing something else or ….


Locked