Hi,
I have noticed quite a concerning problem with traffic filtering affecting my setup.
I have an Opnsense DEC2752 box running Opnsense Community 25.1.7_2.
This box is connected to the WAN using a physical copper connection. In order to reach the internet, the traffic needs to be tagged with a specific dot1q tag and therefore I have configured a sub-interface. Therefore I have a parent interface igc1 with a single sub-interface vlan0.100.
Now, the connection between igc1 and the upstream switch appears to be a trunk with different VLANs allowed. With wireshark, I can see a lot of broadcast and multicast traffic with different VLAN tags reaching igc1. This traffic is for some reason not filtered and it is being forwarded to the LAN segment.
This is a corporate environment, and the firewall is used to isolate a test environment from the main corporate network. I have no control over the rest of the corporate network so changing the allowed VLANs on the trunk is not an option. Besides, I still would like to understand this particular behavior.
Do you have the untagged uplink interface assigned to anything in Interfaces > Assignments? You should not, if the tagged subinterface is in fact your WAN connection.
Hi Patrick and thanks for the quick reply. The physical interface is not assigned.
Quote from: opulentjuice on August 08, 2025, 11:24:54 AMWith wireshark, I can see a lot of broadcast and multicast traffic with different VLAN tags reaching igc1.
This is to be expected if there is no filtering taking place on the switch with respect to "allowed VLANs".
Quote from: opulentjuice on August 08, 2025, 11:24:54 AMThis traffic is for some reason not filtered and it is being forwarded to the LAN segment.
This should definitely not be the case and I cannot see a way for this to happen at all if there is no assignment and hence no layer 3 configuration on the physical port.
Are you perchance running OPNsense in transparent filtering bridge mode?
Totally
Quote from: Patrick M. Hausen on August 08, 2025, 12:04:01 PMThis should definitely not be the case and I cannot see a way for this to happen at all if there is no assignment and hence no layer 3 configuration on the physical port.
Are you perchance running OPNsense in transparent filtering bridge mode?
Totally agree, and I am also very puzzled. There is no bridging and OPNsense is running in normal, routed mode.
This is what I see inbound igc1 (agree, it's normal to see this traffic):
(https://i.ibb.co/q4S3fG9/Pasted-image-20250808121912.png)
This is what I see inbound the downstream switch connected to the OPNsense LAN interface:
(https://i.ibb.co/gMFZhCm6/Pasted-image-20250808121943.png)
How is that tagged traffic ending up on the LAN segment?
Are you sure this goes through OPNsense and not some other route you are not (yet) aware of? Could you do a packet trace on OPNsense for the LAN interface instead of on the switch?
This is virtualised, right? Something with your vswitches/portgroups ...
Nope, it's a OPNsense physical box (DEC2752). It has a single physical connection to an upstream switch, and one physical connection to a downstream L3 switch.
The Vmware MAC OUI you see it's because there are probably some VMs on the upstream switch.
I was wondering if NAT might have be interfering with this somehow. I have a NAT outbound rule with source 192.168.0.0/16 (the subnets part of the test environment). The traffic incoming on igc1 with tag 643 is also within that range. The legit network for the WAN with the correct tagging belongs to the 172.16.0.0/12.
I also tried to make additional VLANs interfaces with tag 643. Still the traffic goes through. When I enable promiscuous mode on that interface and enable "block private networks", then I see the traffic blocked in the logs (default block rule)... but i still see the traffic on the downstream switch.
Hi,
any other input?
Is it possible you have promiscuous mode enabled on the interfaces?
Regards,
S.
While the source MAC is the same on the WAN and LAN interface, is there a chance that there are 2 VMware instances using the same MAC? One on the WAN, one on the LAN side?
Quote from: Seimus on August 11, 2025, 01:46:22 PMIs it possible you have promiscuous mode enabled on the interfaces?
Regards,
S.
Hey Seimus, thanks for the reply. Interfaces are not promiscuous:
igc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether f4:90:ea:01:6f:2e
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan0.634: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: INTERNET (wan)
options=4000000<MEXTPG>
ether f4:90:ea:01:6f:2e
inet x.x.x.x netmask 0xffffffc0 broadcast x.x.x.x
groups: vlan
vlan: 634 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Quote from: mooh on August 11, 2025, 03:44:28 PMWhile the source MAC is the same on the WAN and LAN interface, is there a chance that there are 2 VMware instances using the same MAC? One on the WAN, one on the LAN side?
Hey mooh,
nice one. But on the LAN side there is a Proxmox environment, so I am afraid that's not the case.
Focussing on layer 2, are there any other bridges in your network that circumvent the FW, a switch, a laptop, etc? To find out, I would disconnect the LAN interface from whatever it is currently connected to, then connect something to make sure the interface is up, a simple switch maybe. If you still see traffic ingress from the WAN, your FW is behaving strangely.
And I don't understand your quote. When I do an ifconfig on a VLAN it doen't show the VLAN ID as part of the interface name but this:
vlan011: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: NetMA2 (opt12)
options=4000000<MEXTPG>
ether f4:90:ea:00:85:2d
inet 192.168.144.1 netmask 0xffffff00 broadcast 192.168.144.255
inet6 fe80::f690:eaff:fe00:852d%vlan011 prefixlen 64 scopeid 0xb
groups: vlan Mitarbeiter
vlan: 144 vlanproto: 802.1q vlanpcp: 0 parent interface: igb2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Quote from: opulentjuice on August 08, 2025, 02:27:39 PM[...]
When I enable promiscuous mode on that interface and enable "block private networks", then I see the traffic blocked in the logs (default block rule)... but i still see the traffic on the downstream switch. [...]
Have you tried connecting one machine directly to the "lan" side of the firewall and performing a capture? Or simply disconnecting the firewall? (Rather obvious, but if those were mentioned, I missed 'em.)
Also is there a chance you spoof your MAC address on WAN and LAN interfaces?
Regards,
S.