Show Posts
16
21.1 Legacy Series / opnsese forwards packets not addressed to its own mac(s)
« on: February 24, 2021, 01:13:11 am »
I have a HA setup with carp running 2 opnsense on a vmware exi5.5 cluster.
Side effect of esxi is, that promiscuous mode needs to be enabled at esxi virtual switch.
I have following effect now:
Host "C" and "D" are at the same Wan network as the firewall "A"(active) and "B"(backup).
Host "D" and firewall "B" resides at the same esxi.
Host "C" sends a icmp packet to Host "D".
Firewall B also receives the packet (because of promiscuous) and forwards it to Host "D".
The packet firewall "B" accepted from host "C" has the mac address of host "D" in the destination (!) and forwards it then via wan interface to host "D" - with own source mac and destination mac of "D".
Why does the firewall accept a packet not intended for the firewall itself?
This should never ever happen.
please see attached log
Side effect of esxi is, that promiscuous mode needs to be enabled at esxi virtual switch.
I have following effect now:
Host "C" and "D" are at the same Wan network as the firewall "A"(active) and "B"(backup).
Host "D" and firewall "B" resides at the same esxi.
Host "C" sends a icmp packet to Host "D".
Firewall B also receives the packet (because of promiscuous) and forwards it to Host "D".
The packet firewall "B" accepted from host "C" has the mac address of host "D" in the destination (!) and forwards it then via wan interface to host "D" - with own source mac and destination mac of "D".
Why does the firewall accept a packet not intended for the firewall itself?
This should never ever happen.
please see attached log