Broadcast storm
-
Hello everyone,
I have the following problem:
I want to use another gateway for one host. As soon as I add a firewall rule in the LAN interface from the specific host to any with gateway the other gateway a broadcast storm appears.The lab environment is as follows:
Gateway 1 and 2 are connected to the wan trough wan interface
There is a DMZ network between Gateway 1, 2 and pfsense
Pfsense is connected to lan
No NAT is used between pfsense and gateway 1, 2 (nat is completely disabled)As I stated, this is a lab environment and all these network are on one vlan, just different subnets. I know this is not best practice, and in production these networks are all in different vlans.
But still it is weird as soon as I specify a gateway in one of the firewall rules (LAN interface) a broadcast storm occurs.Does anyone have a clue why this happens?
-
Why create multiple gateways on a single interface?
Why create a gateway on lan? You generally dont -
Why create multiple gateways on a single interface?
Why create a gateway on lan? You generally dontWe have multiple types of gateways, like Pfsense, Fortigate and Sophos. They are all used for different purposes (like basic nat, site-to-site, and intrusion prevention). But it's also a license thing…
I didn't create a gateway on the lan interface, I created the gateway on the DMZ interface and used this gateway in the lan rule to any. -
Gateway 1 and 2 are connected to the wan trough wan interface
There is a DMZ network between Gateway 1, 2 and pfsense
Pfsense is connected to lan
No NAT is used between pfsense and gateway 1, 2 (nat is completely disabled)above is not making a lot of sense for me, maybe others understand what you are trying to say/do.
it would help if you draw up a schematic of the network; this with relevant info like subnetting/routes/gateways
-
This is what I'm trying to do:
172.16.1.1 use fortigate
172.16.1.2 use sophos
172.16.1.3 use cisco asa -
Ok so use policy based routing..
What is this broadcast storm your saying happens?
-
Ok so use policy based routing..
What is this broadcast storm your saying happens?
That's what I'm doing and after I create the firewall rule for policy based routing a broadcast storm occurs. It is like a cable is connected from and to the same switch, loop.
-
Dude draw up your connections.. You mention vlans.. And what is the broadcast storm.. Where is is coming from, what is the broadcasts your seeing?
"and all these network are on one vlan,"
So your trying to run different L3 over the same L2 ??? Your saying pfsense wan and lan plug into the same switch on the same vlan? Well yeah that is a freaking loop!!
-
what i make of it:
-DMZ is in an isolated subnet, no way to get to/from it
-fortigate & asa share the same ip adress
-all your gateways are inside the same subnet (= no go)as @johnpoz said: need more info
-
Also looks like two of your gateways have the same IP address. You mention your gateways have a route (I'm assuming static) to your LAN, but does your LAN have a static route back? Did you manually assign each client their own gateway? I'm assuming these are hooked up to different ISP'S or is this a completely isolated network? So your static routes are using /32? Can we see your routing table? Like others network looks a little weird, but I'm sure their is a reason you have it wired this way? Do you have a dynamic routing protocol turned on? This can cause a broadcast storm if you have multiple paths to the same network.
-
Dude draw up your connections.. You mention vlans.. And what is the broadcast storm.. Where is is coming from, what is the broadcasts your seeing?
"and all these network are on one vlan,"
So your trying to run different L3 over the same L2 ??? Your saying pfsense wan and lan plug into the same switch on the same vlan? Well yeah that is a freaking loop!!
A router shouldn't forward broadcasts between interfaces. That's what the interface bridging is for. I can't see where the broadcast storm is from.
Here is a new picture with the connections. Just to be clear, I know it's not best practice to put the interfaces in the same vlan but that was just for this lab environment.
I'll reproduce it again in the lab environment and debug where the broadcast is from, not sure if it's layer 2 or 3 broacast. If it's a layer 3 broadcast it might be explainable. But still weird it only happens after I change the gateway for the default rule.
-
what i make of it:
-DMZ is in an isolated subnet, no way to get to/from it
-fortigate & asa share the same ip adress
-all your gateways are inside the same subnet (= no go)as @johnpoz said: need more info
You're right, I messed up the drawing a bit. (Reality and lab mixed in this drawing haha)
About the gateway thing… why not have multiple gateways inside same subnet?new drawing:
-
Also looks like two of your gateways have the same IP address. You mention your gateways have a route (I'm assuming static) to your LAN, but does your LAN have a static route back? Did you manually assign each client their own gateway? I'm assuming these are hooked up to different ISP'S or is this a completely isolated network? So your static routes are using /32? Can we see your routing table? Like others network looks a little weird, but I'm sure their is a reason you have it wired this way? Do you have a dynamic routing protocol turned on? This can cause a broadcast storm if you have multiple paths to the same network.
Yes, drawing was messed up, added a new one in the post above. LAN doesn't need a static route back to the dmz, because it is in the direct connected network from the pfsense.
It is not a seperate ISP, all is one ISP, but we have a routed subnet so the external firewalls (fortigate, sophos cisco) have an external (routable) address and an internal address for the DMZ.
I didn't turn on anything like dynamic routing protocol, where is this located?Edit:
if you mean with dynamic routing = RIP then no, it's not turned on. -
Dude that is such a BAD idea be it lab or not… Your running different layer 3 over the same layer 2.. And why are you using a /16 network that is just BAD practice as well.
Why not just get another switch?
Show how you have your gateways setup in pfsense..
-
As it is set up now, you don't have any separation between LAN and DMZ because they are on the same switch effectively nullifying any firewalling you have on the pfSense.
-
Dude that is such a BAD idea be it lab or not… Your running different layer 3 over the same layer 2.. And why are you using a /16 network that is just BAD practice as well.
Why not just get another switch?
Show how you have your gateways setup in pfsense..
Haha I know it's not a good idea, but a broadcast storm shouldn't happend either. Who / what says that /16 is bad practice? It is in RFC for private network ip range: https://tools.ietf.org/html/rfc1918 it is very common. We need it for the internal address space, we have a lot of servers.
It actually is 802.1q capable switch, but wanted to setup the lab fast so didn't configure it.
Currently I'm not able to reach the lab enviroment. I'll show gateway setup as soon as I can.
-
@kpa:
As it is set up now, you don't have any separation between LAN and DMZ because they are on the same switch effectively nullifying any firewalling you have on the pfSense.
Yes, but that is not the purpose of this post. And what is currently looks like even separting the switches do not have any effect if the broadcasts are being forwarded. But that is just speculation, I have to debug more to see what broadcasts are being forwarded.
-
/16 has 65K hosts… You have that many servers?? That is one freaking huge broadcast domain.. Nobody would ever have that many hosts on the same broadcast domain.. So 10 in the rfc1918 space a /8 -- you think its good idea to use a /8 mask on your interfaces.. You don't think that might have issues with overlap somewhere?
It is bad practice to use an unrealistically large mask because of pure laziness yes.. Do you need that in a rfc somewhere to know its a bad idea?? And bad practice?
-
/16 has 65K hosts… You have that many servers?? That is one freaking huge broadcast domain.. Nobody would ever have that many hosts on the same broadcast domain.. So 10 in the rfc1918 space a /8 -- you think its good idea to use a /8 mask on your interfaces.. You don't think that might have issues with overlap somewhere?
It is bad practice to use an unrealistically large mask because of pure laziness yes.. Do you need that in a rfc somewhere to know its a bad idea?? And bad practice?
True, current network is around 500 ip adresses. Thats also why im setting this up because we are going to split the subnets. It's not that I do not agree but was just curious if there is any best practice for subnet sizes.
-
i doubt there are any "official" rules, but imho, it's best to limit to /23 or /22 (thats around 512/1024 available ip's)
I have a /22 on a public wifi hotspot because i don't wish to run the same SSID on multiple vlans to split it up / it's not an ideal situation, but for sake of simplicity i keep it like that