Hetzner root server -- seeing all traffic within the given /26

Started by mokaz, September 20, 2025, 11:47:47 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 20, 2025, 11:47:47 AM Last Edit: September 20, 2025, 12:32:49 PM by mokaz
Hi all,

I have tested a root server @Hetzner with opnsense and I have the feeling that I'm witnessing all the traffic within the given /26 of the root server assigned public IP address... Had anyone seen this as well? Have I perhaps missed any "opnsense" settings on my WAN interface?

In example:
Code Select
Interface     Time                       Source             Destination             Proto     Label
-------------------------------------------------------------------------------------------------------------------
WAN1        2025-09-20T09:42:11      65.109.83.177:51040    xx.xx.xx.14:9060    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:41840    xx.xx.xx.14:9901    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:51246    xx.xx.xx.14:9100    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      45.142.193.63:56217    xx.xx.xx.13:22363    tcp    CrowdSec (IPv4) in   
WAN1        2025-09-20T09:42:11      65.109.83.177:44502    xx.xx.xx.14:9113    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:38206    xx.xx.xx.14:9903    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:37934    xx.xx.xx.14:5054    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:37532    xx.xx.xx.14:9902    tcp    WAN1_DENY_ALL   

I do not own any of the destination IP listed above...

Let me know,
Kind regards,
m.

EDIT: the OPNsense wan interface is not in promiscuous mode / IPS is enabled on the interface in IPS mode
September 23, 2025, 01:55:55 PM #1
I guess that one explanation would be that the adjacent switch DOES NOT have the MAC entries from the involved local subnet IP's (host down/decommissioned etc) and is in fact flooding these frames to all other port except the receiving port.

The witnessed destinations are always the same set of destination IPs with the annoyance that some of the given frames involved seems to trigger Suricata with: ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag...

Not much I can do I guess..
September 23, 2025, 02:26:28 PM #2 Last Edit: September 23, 2025, 02:28:34 PM by meyergru
If you see traffic that is not destined to your IPv4, it might be so-called "unknown unicasts". Their forwarding is a normal function of an L2 switch.

It will not help if you configure your interface as /32 and set up a pointopoint route to your gateway ip - although that could/should also be done regardless (I do that). Otherwise, you might not get traffic to your "subnet neighbors".

If you want to block such traffic before it even hits your OpnSense, you can use Hetzner's Robot Firewall to filter against your own IPv4 (I do that, too, and it works).
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 11:15:48 AM #3 Last Edit: Today at 11:36:07 AM by mokaz
Quote from: meyergru on September 23, 2025, 02:26:28 PMIf you see traffic that is not destined to your IPv4, it might be so-called "unknown unicasts". Their forwarding is a normal function of an L2 switch.

Yes that is the case here.

Quote from: meyergru on September 23, 2025, 02:26:28 PMIt will not help if you configure your interface as /32 and set up a pointopoint route to your gateway ip - although that could/should also be done regardless (I do that). Otherwise, you might not get traffic to your "subnet neighbors".

Could you give me more information as to how you enable the "pointtopoint route" to the /26 subnet gateway using /32 on your WAN uplink?

Quote from: meyergru on September 23, 2025, 02:26:28 PMIf you want to block such traffic before it even hits your OpnSense, you can use Hetzner's Robot Firewall to filter against your own IPv4 (I do that, too, and it works).

Yes that clear's up a massive amount of pure noise, best practices indeed.

Thanks!
Today at 11:28:42 AM #4
That depends on your OS and/or network configuration method.

Essentially, you do not configure IP/26, but IP/32. The problem is that now your gateway IP lies outside of your subnet.

In Linux, you can set up an interface with the option "pointopoint", such that it can be a far gateway. You only specify the interface over which it is to be reached.


Hetzner now documents exactly that here for /etc/network/interfaces and also for netplan setups.

For OpnSense, you define the WAN interface IP with a netmask of /32 and set the "IPv4 gateway rules" to your gateway, in which you check both "Upstream Gateway" and "Far Gateway" and select the WAN interface and gateway IP.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions