Hetzner root server -- seeing all traffic within the given /26

[mokaz]

Hi all,

I have tested a root server @Hetzner with opnsense and I have the feeling that I'm witnessing all the traffic within the given /26 of the root server assigned public IP address... Had anyone seen this as well? Have I perhaps missed any "opnsense" settings on my WAN interface?

In example:

Code Select Expand

Interface     Time                       Source             Destination             Proto     Label
-------------------------------------------------------------------------------------------------------------------
WAN1        2025-09-20T09:42:11      65.109.83.177:51040    xx.xx.xx.14:9060    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:41840    xx.xx.xx.14:9901    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:51246    xx.xx.xx.14:9100    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      45.142.193.63:56217    xx.xx.xx.13:22363    tcp    CrowdSec (IPv4) in   
WAN1        2025-09-20T09:42:11      65.109.83.177:44502    xx.xx.xx.14:9113    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:38206    xx.xx.xx.14:9903    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:37934    xx.xx.xx.14:5054    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:37532    xx.xx.xx.14:9902    tcp    WAN1_DENY_ALL   

I do not own any of the destination IP listed above...

Let me know,
Kind regards,
m.

EDIT: the OPNsense wan interface is not in promiscuous mode / IPS is enabled on the interface in IPS mode

[mokaz]

I guess that one explanation would be that the adjacent switch DOES NOT have the MAC entries from the involved local subnet IP's (host down/decommissioned etc) and is in fact flooding these frames to all other port except the receiving port.

The witnessed destinations are always the same set of destination IPs with the annoyance that some of the given frames involved seems to trigger Suricata with: ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag...

Not much I can do I guess..

[meyergru]

If you see traffic that is not destined to your IPv4, it might be so-called "unknown unicasts". Their forwarding is a normal function of an L2 switch.

It will not help if you configure your interface as /32 and set up a pointopoint route to your gateway ip - although that could/should also be done regardless (I do that). Otherwise, you might not get traffic to your "subnet neighbors".

If you want to block such traffic before it even hits your OpnSense, you can use Hetzner's Robot Firewall to filter against your own IPv4 (I do that, too, and it works).