Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules - Packet Capturing - Understanding Problem

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      inzanez
      last edited by

      Hi

      I've got a pfSense Firewall having three VLANs on interface igb0, with the ip addresses 10.0.0.1/24 (LAN), 10.0.2.1/24, 10.0.3.1/24 (Management).

      There's a firewall rule that allows clients from the LAN to connect to the management port 10.0.3.1 using ports 22 and 443.

      When I connect from a client in the LAN network to the management interface IP address 10.0.3.1, where SSH is running, and monitor the management interface with tcpdump, I don't see traffic.
      Monitoring traffic on the LAN interface on the other hand shows me the traffic to 10.0.3.1 dst port 22.

      Somehow that doesn't make sense right now. Shouldn't I see the traffic on the management interface as well somehow? I mean, destination of the packet is 10.0.3.1, which IS the management interface ip address?

      …:-)

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        @inzanez:

        Hi

        I've got a pfSense Firewall having three VLANs on interface igb0, with the ip addresses 10.0.0.1/24 (LAN), 10.0.2.1/24, 10.0.3.1/24 (Management).

        There's a firewall rule that allows clients from the LAN to connect to the management port 10.0.3.1 using ports 22 and 443.

        When I connect from a client in the LAN network to the management interface IP address 10.0.3.1, where SSH is running, and monitor the management interface with tcpdump, I don't see traffic.
        Monitoring traffic on the LAN interface on the other hand shows me the traffic to 10.0.3.1 dst port 22.

        Somehow that doesn't make sense right now. Shouldn't I see the traffic on the management interface as well somehow? I mean, destination of the packet is 10.0.3.1, which IS the management interface ip address?

        …:-)

        You say that you have 3 VLANs on interface igb0, so if you tcpdump igb0, you will see traffic from all 3 VLANs.  Be sure to use -e flag on tcpdump if you want to see the VLAN# in the output.
        If you want to only "monitor the management interface", you have to use tcpdump igb0_vlan### where ### corresponds to the vlan # you assigned to the Management vlan.

        –A.

        1 Reply Last reply Reply Quote 0
        • R
          rubic
          last edited by

          @inzanez:

          Shouldn't I see the traffic on the management interface as well somehow?

          You should not. When traffic is designated to THIS host (see "weak end system model" and "weak host receive behavior"), it passed to the listening socket by the kernel. There is no need (and no way) to pass it to incoming queue of the interface the destination IP belongs to.

          1 Reply Last reply Reply Quote 0
          • I
            inzanez
            last edited by

            Perfect, thanks for the information. That solves that particular problem understanding why I see what I've seen so far…:-)
            One step further in resolving,...that magic mess:-)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.