Traffic on wrong interface in wrong direction

itBJA

Hey community,
I have a strange behaviour on my PF+ (Netgate 8200)
I see logged traffic on the LAN-Interface:

But:

1. Source and destination are actually swappen (172.21.110.11 is the host that pings)
2. None either dest nor source are behind the LAN-Interface.
   The system in dest is behind IPSec and the source is behind another interface.
   For the source here, all VLAN-Tags are set correctly, no additional routes etc.
   LAN-interface itself has no VLAN, as there is one host on that interface that isn't capable of handling VLAN-tags.
   Can anyone explain, why this one source-dest-combination is occuring on that interface, none else except the one system on the LAN-interface.

Thanks!

luckman212

@itBJA Strange, but something is creating those states.

Since you have the pf ruleid there, can you run pfctl -vvsr | grep -A4 1750319599 and see which rule it's hitting?

I would also run tcpdump -vvv -ni ix1 icmp on your 8200 (obviously change ix1 to your LAN interface if it's something else).

And lastly, packet capture on those source/dest hosts (use Wireshark if they can't run tcpdump)...

itBJA

Hi,
I created this any-any-log - rule to make the traffic visible.
Both sides are just network devices, that can't be accessed in anyway, so also not possible to run a tcpdump or wireshark on it.

itBJA

I did the tcpdump on the 8200.
The logged traffic is the ICMP-reply.
So the behaviour is even more strange, that the reply goes out on a different interface than the ICMP request...
172.16.107.201 > 172.21.110.11: ICMP echo reply, id 22591, seq 0, length 76
172.16.107.201 > 172.21.110.11: ICMP echo reply, id 22591, seq 1, length 76
172.16.107.201 > 172.21.110.11: ICMP echo reply, id 22591, seq 2, length 76
172.16.107.201 > 172.21.110.11: ICMP echo reply, id 22591, seq 3, length 76
172.16.107.201 > 172.21.110.11: ICMP echo reply, id 22591, seq 4, length 76

The capture on the vlan-interface actually gives
tcpdump: listening on lagg1.107, link-type EN10MB (Ethernet), snapshot length 262144 bytes
172.21.110.11 > 172.16.107.201: ICMP echo request, id 28726, seq 0, length 76
172.16.107.201 > 172.21.110.11: ICMP echo reply, id 28726, seq 0, length 76

So why is the reply on visible on both interfaces?!
When adding a rule above the any-rule and blocking the host .201 on that interface, the ICMP-Reply is received on the other side on the correct vlan, but this all is weird behaviour.
I also see blocks on other interfaces although there is an Allow-Rule above.
I think I'll need the support.

SteveITS

@itBJA is the subnet mask correct on all interfaces?

itBJA

Yes,
all interfaces are /24

tinfoilmatt

@itBJA said in Traffic on wrong interface in wrong direction:

So why is the reply on visible on both interfaces?!

Where is this shown in anything you've posted?

What you have here is a big mess, all stemming from the conflation of L2 VLANs with L3 router interfaces. There's no such thing as a "vlan-interface".

But I otherwise don't see what the problematic behavior is. You have a firewall rule applied to the "LAN" interface, and which is apparently configured to log passed ICMP traffic. That's what it's doing.

itBJA

Example from the pinging system:

And also the tcpdump on the PF is showing both packets when doing dump on interface lagg1 and interface lagg1.107
(I consider lagg.107 as an vlan interface, as this is also "language" of the switch)

tinfoilmatt

@itBJA So duplicate echo replies are received on the host at 172.21.110.11. I got it.

What kind of managed switch?

itBJA

Huawei.
I‘m with Netgate and Huawei-Support in contact.