Firewall Rules - Packet Capturing - Understanding Problem



  • Hi

    I've got a pfSense Firewall having three VLANs on interface igb0, with the ip addresses 10.0.0.1/24 (LAN), 10.0.2.1/24, 10.0.3.1/24 (Management).

    There's a firewall rule that allows clients from the LAN to connect to the management port 10.0.3.1 using ports 22 and 443.

    When I connect from a client in the LAN network to the management interface IP address 10.0.3.1, where SSH is running, and monitor the management interface with tcpdump, I don't see traffic.
    Monitoring traffic on the LAN interface on the other hand shows me the traffic to 10.0.3.1 dst port 22.

    Somehow that doesn't make sense right now. Shouldn't I see the traffic on the management interface as well somehow? I mean, destination of the packet is 10.0.3.1, which IS the management interface ip address?

    …:-)



  • @inzanez:

    Hi

    I've got a pfSense Firewall having three VLANs on interface igb0, with the ip addresses 10.0.0.1/24 (LAN), 10.0.2.1/24, 10.0.3.1/24 (Management).

    There's a firewall rule that allows clients from the LAN to connect to the management port 10.0.3.1 using ports 22 and 443.

    When I connect from a client in the LAN network to the management interface IP address 10.0.3.1, where SSH is running, and monitor the management interface with tcpdump, I don't see traffic.
    Monitoring traffic on the LAN interface on the other hand shows me the traffic to 10.0.3.1 dst port 22.

    Somehow that doesn't make sense right now. Shouldn't I see the traffic on the management interface as well somehow? I mean, destination of the packet is 10.0.3.1, which IS the management interface ip address?

    …:-)

    You say that you have 3 VLANs on interface igb0, so if you tcpdump igb0, you will see traffic from all 3 VLANs.  Be sure to use -e flag on tcpdump if you want to see the VLAN# in the output.
    If you want to only "monitor the management interface", you have to use tcpdump igb0_vlan### where ### corresponds to the vlan # you assigned to the Management vlan.



  • @inzanez:

    Shouldn't I see the traffic on the management interface as well somehow?

    You should not. When traffic is designated to THIS host (see "weak end system model" and "weak host receive behavior"), it passed to the listening socket by the kernel. There is no need (and no way) to pass it to incoming queue of the interface the destination IP belongs to.



  • Perfect, thanks for the information. That solves that particular problem understanding why I see what I've seen so far…:-)
    One step further in resolving,...that magic mess:-)


Log in to reply