Hi all,
I have tested a root server @Hetzner with opnsense and I have the feeling that I'm witnessing all the traffic within the given /26 of the root server assigned public IP address... Had anyone seen this as well? Have I perhaps missed any "opnsense" settings on my WAN interface?
In example:
Interface Time Source Destination Proto Label
-------------------------------------------------------------------------------------------------------------------
WAN1 2025-09-20T09:42:11 65.109.83.177:51040 xx.xx.xx.14:9060 tcp WAN1_DENY_ALL
WAN1 2025-09-20T09:42:11 65.109.83.177:41840 xx.xx.xx.14:9901 tcp WAN1_DENY_ALL
WAN1 2025-09-20T09:42:11 65.109.83.177:51246 xx.xx.xx.14:9100 tcp WAN1_DENY_ALL
WAN1 2025-09-20T09:42:11 45.142.193.63:56217 xx.xx.xx.13:22363 tcp CrowdSec (IPv4) in
WAN1 2025-09-20T09:42:11 65.109.83.177:44502 xx.xx.xx.14:9113 tcp WAN1_DENY_ALL
WAN1 2025-09-20T09:42:11 65.109.83.177:38206 xx.xx.xx.14:9903 tcp WAN1_DENY_ALL
WAN1 2025-09-20T09:42:11 65.109.83.177:37934 xx.xx.xx.14:5054 tcp WAN1_DENY_ALL
WAN1 2025-09-20T09:42:11 65.109.83.177:37532 xx.xx.xx.14:9902 tcp WAN1_DENY_ALL
I do not own any of the destination IP listed above...
Let me know,
Kind regards,
m.
EDIT: the OPNsense wan interface is not in promiscuous mode / IPS is enabled on the interface in IPS mode
I guess that one explanation would be that the adjacent switch DOES NOT have the MAC entries from the involved local subnet IP's (host down/decommissioned etc) and is in fact flooding these frames to all other port except the receiving port.
The witnessed destinations are always the same set of destination IPs with the annoyance that some of the given frames involved seems to trigger Suricata with: ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag...
Not much I can do I guess..
If you see traffic that is not destined to your IPv4, it might be so-called "unknown unicasts". Their forwarding is a normal function of an L2 switch.
It will not help if you configure your interface as /32 and set up a pointopoint route to your gateway ip - although that could/should also be done regardless (I do that). Otherwise, you might not get traffic to your "subnet neighbors".
If you want to block such traffic before it even hits your OpnSense, you can use Hetzner's Robot Firewall to filter against your own IPv4 (I do that, too, and it works).
Quote from: meyergru on September 23, 2025, 02:26:28 PMIf you see traffic that is not destined to your IPv4, it might be so-called "unknown unicasts". Their forwarding is a normal function of an L2 switch.
Yes that is the case here.
Quote from: meyergru on September 23, 2025, 02:26:28 PMIt will not help if you configure your interface as /32 and set up a pointopoint route to your gateway ip - although that could/should also be done regardless (I do that). Otherwise, you might not get traffic to your "subnet neighbors".
Could you give me more information as to how you enable the "pointtopoint route" to the /26 subnet gateway using /32 on your WAN uplink?
Quote from: meyergru on September 23, 2025, 02:26:28 PMIf you want to block such traffic before it even hits your OpnSense, you can use Hetzner's Robot Firewall to filter against your own IPv4 (I do that, too, and it works).
Yes that clear's up a massive amount of pure noise, best practices indeed.
Thanks!
That depends on your OS and/or network configuration method.
Essentially, you do not configure IP/26, but IP/32. The problem is that now your gateway IP lies outside of your subnet.
In Linux, you can set up an interface with the option "pointopoint", such that it can be a far gateway. You only specify the interface over which it is to be reached.
Hetzner now documents exactly that here for /etc/network/interfaces (https://docs.hetzner.com/robot/dedicated-server/network/net-config-debian-ubuntu) and also for netplan (https://docs.hetzner.com/robot/dedicated-server/network/network-configuration-with-netplan) setups.
For OpnSense, you define the WAN interface IP with a netmask of /32 and set the "IPv4 gateway rules" to your gateway, in which you check both "Upstream Gateway" and "Far Gateway" and select the WAN interface and gateway IP.