OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: cugerm on March 06, 2022, 06:50:32 pm
-
Hi, after the successful integration of the bnxt network interface driver [1], we realized that the driver has an error in the processing of vlan packets [2]. To fix this issue, the associated FreeBSD ticket mentions the possibility of activating the promiscuous mode for bnxt0 as a workaround. Away from performance drawbacks and under the assumption that only privileged administrators have access to the OPNsense instance...
Are there any security impacts due to we should not permanently enable the promisc mode until the bug is fixed?
Thank you for your assessment.
[1] Enabling bnxt driver: https://forum.opnsense.org/index.php?topic=27168.0 (https://forum.opnsense.org/index.php?topic=27168.0)
[2] FreeBSD bnxt vlan bugzilla ticket: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236983 (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236983)
-
When you enable promiscuous mode on an interface, packets not addressed to that interface will be passed up the network stack instead of being dropped.
This means that your routing and firewall rules (and other services) will encounter ip address (and protocols) that they might not be expecting, that could have security implications.
-
Good explanation! We will discuss this point in the team. Thank you.
-
From what I understand from the proposed fix your security concerns are in vain because whether you set promiscuous mode manually via OS or let the driver do it as soon as it has VLANs is exactly the same from a hardware standpoint once VLAN is used in your network: promiscuous mode is enabled.
Cheers,
Franco
-
We also have this NIC and have had internal discussions about this topic, since I had the same concern than you (OP).
We've came to same conclusion, since this is a Firewall solution promiscous mode is kind of mandatory, especially if you use VLANs. But once again, it comes down to how and what you want to use OPNSense for.
Cheers!
-
... or let the driver do it as soon as it has VLANs is exactly the same from a hardware standpoint once VLAN is used in your network: promiscuous mode is enabled.
Thanks for the explanation, i had not thought of this point, but it seems logical of course.
Also thanks to gege29 for the experience report, what is always helpful when making a decision: We will also enable the promisc mode - Now, with a (reasonably) good feeling :)
-
... once VLAN is used in your network: promiscuous mode is enabled.
This sounds as if it answers the question I posed in another thread;
My question is: why does IPS mode with vlans work without using Promiscuos mode on 22.1 and 21.7?
but I in that case I found that
root@OHM:~ # ifconfig | grep -i prom
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33160
that is, no interface had promiscuous mode.
Is ifconfig lying? What is going on?
-
> Is ifconfig lying?
Yes, although it depends on the driver and hardware used (why this thread exists for broadcom hardware mentioned here and cannot be assumed to be true for all devices).
Cheers,
Franco
-
Ah, that's nice to know :-X
Thanks!