IP Spoofing problem

Discussion in 'Networking' started by bhealy, Apr 20, 2012.

  1. Offline

    bhealy

    Member Since:
    Apr 20, 2012
    Messages:
    5
    Message Count:
    5
    Likes Received:
    0
    Trophy Points:
    0
    bhealy, Apr 20, 2012

    Hi,

    I have an 8.0.4 release x64 running with dual NICs, one dedicated for iSCSI communication with two servers on a closed 10.10.10.x network (no gateway) and the other NIC on a user LAN 192.168.10.x for Windows shares, management, etc. I've got Active Directory setup and working with a DC on the 192.168.10.x LAN. The problem is my firewall keeps tripping with spoof alerts that the 10.10.10.2 address of the FreeNAS is showing up on the 192.168.10.x LAN with the MAC address of the FreeNAS 192.168.10.x interface. The traffic is NetBIOS port 137 going to a backup DC on another LAN!

    Here's the network summary:

    Name
    IPv4 Address
    bce0
    10.10.10.2/24
    bce1
    192.168.10.112/24
    Nameserver
    192.168.10.100
    192.168.10.101

    Default route
    192.168.10.1

    And the spoof message from my Sonicwall which is 192.168.10.1 is:
    04/20/2012 09:52:09.736 - Alert - Intrusion Prevention - IP spoof dropped - 10.10.10.2, 137, X0 - 192.168.3.242, 137, X2 - MAC address: 00:18:8b:3a:36:a9

    I have confirmed with ifconfig that the MAC address shown is infact that of the 192.168.10.x NIC of the FreeNAS.


    So,
    1) Why would FreeNAS be trying to get to my backup DC on another LAN? The DC configured for Active Directory is on the local 192.168.10.x LAN.
    2) How do I stop it from trying to do it from the 10.10.10.x interface and use the 192.168.10.x instead if it really does need to talk to the backup DC? (there is more than one DC on the local 192.168.10.x LAN!)

    I don't know if this is a new problem, I've been using FreeNAS for a while, and I've only just started seeing the Alerts since upgrading to a newer Sonicwall model.

    Any suggestions?

    Thanks,
    Bill
  2. Offline

    bhealy

    Member Since:
    Apr 20, 2012
    Messages:
    5
    Message Count:
    5
    Likes Received:
    0
    Trophy Points:
    0
    bhealy, Apr 27, 2012

    No ideas??

    Am I missing something obvious and that's why no responses or is this problem which no one has an answer for?

    Bill
  3. Offline

    paleoN FreeNAS Guru

    Member Since:
    Apr 22, 2012
    Messages:
    1,403
    Message Count:
    1,403
    Likes Received:
    15
    Trophy Points:
    38
    paleoN, May 2, 2012

    What exactly is physically plugged into what? You say 10.10.10.x is a closed network. Is this on a different switch, are those ports set for a separate vlan or what exactly?

    Is 192.168.3.242 a valid destination? If so, perhaps a complete network layout would help.

    Also, what does the routing table on your FreeNAS box look like?
    Code (text):
    1.  netstat -rn
  4. Offline

    bhealy

    Member Since:
    Apr 20, 2012
    Messages:
    5
    Message Count:
    5
    Likes Received:
    0
    Trophy Points:
    0
    bhealy, May 3, 2012

    The 10.10.10.x is on it's own VLAN with no gateway. The VLAN is configured in the switch for the 3 ports in use, they are Untagged, and I've denied all other ports on the switch membership to the VLAN. There are 2 Windows servers also connected to the same VLAN that use iSCSI to the FreeNAS.

    The 192.168.10.x network gateways through 192.168.10.1 which is my firewall/router that is alerting to the IP Spoofing. The 192.168.10.x network has 3 Domain Controllers, one of which (the primary) is configured in the Active Directory service of FreeNAS.

    The backup Domain Controller 192.168.3.242 is reachable from the 192.168.10.x network through the gateway 192.168.10.1, but it's on the other end of a T-1 in another office. Much faster to go to a local DC at 1G than the remote office at 1.5M!

    From the spoof alerts I'm getting it looks like it happens every 20 minutes.

    Here's the routing table:
    netstat -rn
    Routing tables

    Internet:
    Destination Gateway Flags Refs Use Netif Expire
    default 192.168.10.1 UGS 0 12508844 bce1
    10.10.10.0/24 link#1 U 0 1504180423 bce0
    10.10.10.2 link#1 UHS 0 29 lo0
    127.0.0.1 link#3 UH 0 0 lo0
    192.168.10.0/24 link#2 U 0 309581482 bce1
    192.168.10.112 link#2 UHS 0 0 lo0

    Internet6:
    Destination Gateway Flags Netif Expire
    ::1 ::1 UH lo0
    fe80::%lo0/64 link#3 U lo0
    fe80::1%lo0 link#3 UHS lo0
    ff01:3::/32 fe80::1%lo0 U lo0
    ff02::%lo0/32 fe80::1%lo0 U lo0



    And an ifconfig so you can see the MAC addresses:

    ifconfig
    bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
    ether 00:18:8b:3a:36:ab
    inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
    media: Ethernet autoselect (1000baseT <full-duplex,master>)
    status: active
    bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
    ether 00:18:8b:3a:36:a9
    inet 192.168.10.112 netmask 0xffffff00 broadcast 192.168.10.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    inet6 ::1 prefixlen 128
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=3<PERFORMNUD,ACCEPT_RTADV>


    As I mentioned before, but I'll summarize, bce0 is the 10.10.10.x network, bce1 is the 192.168.10.x network, but the spoof alerts are showing the 10.10.10.2 address with the MAC address from the bce1 interface on the bce1 LAN (192.168.10.x) hence the spoof. If it wasn't for the fact that it was trying to route through my firewall/router I would never have known there was useless traffic 10.10.10.x on the 192.168.10.x LAN.

    Is there anyone else out there with a dual port FreeNAS and Active Directory that can monitor the LAN with the DC's and see if traffic from their other FreeNAS port is showing up on the wrong LAN?

    I should mention that Active Directory is working fine, my users show up and authenticate to get into the CIFS shares.

    Also of note, I do not have Local Master checked under the CIFS configs.

    What would be some reasons that FreeNAS would be trying to talk to my remote backup DC when there are 3 perfectly good DC's on the local LAN?


    Thanks for any help you can offer,
    Bill
  5. Offline

    paleoN FreeNAS Guru

    Member Since:
    Apr 22, 2012
    Messages:
    1,403
    Message Count:
    1,403
    Likes Received:
    15
    Trophy Points:
    38
    paleoN, May 9, 2012

    What AD are you running anyway? I imagine it is, but is the remote DC in its own site in AD?

    Is it a different switch that the 10.10.10.x ports are on or is it on the Sonicwall itself? Are there any DNS entries that use the 10.10.10.2 address for the FreeNAS box? Have you tried logging traffic from the 192.168.3.242 to both 10.10.10.2 & 192.168.10.112 to see if the remote DC is starting it?

    What are the services that you are running on the FreeNAS box? Did you try binding Samba to only the 192.168.10.112 nic?

    Because it's Windows and it does it all the time for no good reason. You can double check DNS to make sure you don't have any stale SRV records that are pointing to the remote DC in the local site.
  6. Offline

    bhealy

    Member Since:
    Apr 20, 2012
    Messages:
    5
    Message Count:
    5
    Likes Received:
    0
    Trophy Points:
    0
    bhealy, May 10, 2012

    The Domain and Forest functional levels are currently Windows 2003, working towards 2008. Yes, the remote DC is in it's own AD site. Also checked DNS and WINS and there are no records anywhere for the FreeNAS's 10.10.10.2 address.

    The 10.10.10.x ports of the switch are part of a VLAN with no connection to the Sonicwall. The rest of the ports on the switch are used for the 192.168.10.x LAN which do have a connection to the Sonicwall. At first I thought packets were somehow getting out of the VLAN, but then I realized that the MAC address was that of the 192.168.10.112 port of the FreeNAS.

    Services running on the FreeNAS are Active Directory, CIFS, SNMP, SSH and iSCSI.

    I captured all traffic to and from the remote DC 192.168.3.242 and it was only communicating with the local DC's now and then.

    I didn't see a way in the FreeNAS GUI to bind Samba to only one nic, did I miss it somewhere?

    Thanks,
    Bill
  7. Offline

    paleoN FreeNAS Guru

    Member Since:
    Apr 22, 2012
    Messages:
    1,403
    Message Count:
    1,403
    Likes Received:
    15
    Trophy Points:
    38
    paleoN, May 11, 2012

    I thought I was onto something with that master option showing up, but I didn't find anything useful. Did you ever have interfaces bonded together? Try running this for additional network info:
    Code (text):
    1. netstat -aibdh
    Do me a favor and throw [noparse]
    Code (text):
    1.  
    tags[/noparse] around the output. It will keep the formatting.
    Nope. I think you can add it to the Auxiliary parameters section though. You can up the logging level and check the samba logs at /var/log/samba if you think it's samba related.
  8. Offline

    bhealy

    Member Since:
    Apr 20, 2012
    Messages:
    5
    Message Count:
    5
    Likes Received:
    0
    Trophy Points:
    0
    bhealy, May 14, 2012

    No, never had the interfaces bonded.

    Here's the output
    Code (text):
    1.  
    2.  netstat -iabh
    3. Name    Mtu Network       Address              Ipkts Ierrs Idrop     Ibytes    Opkts Oerrs     Obytes  Coll
    4. bce0   1500 <Link#1>      00:18:8b:3a:36:ab      61M     0     0        25G      39M     0       139G     0
    5.                           01:00:5e:00:00:01      312                         0
    6. bce0   1500 10.10.10.0    10.10.10.2             61M     -     -        24G     106M     -       138G     -
    7.                           all-systems.mcast
    8. bce1   1500 <Link#2>      00:18:8b:3a:36:a9      15M     0     0        21G     9.0M     0       742M     0
    9.                           01:00:5e:00:00:01   106643                         0
    10. bce1   1500 192.168.10.0  freenas1               15M     -     -        21G     9.1M     -       615M     -
    11.                           all-systems.mcast
    12. lo0   16384 <Link#3>                              29     0     0       7.8K       29     0       7.8K     0
    13. lo0   16384 fe80:3::1     fe80:3::1                0     -     -          0        0     -          0     -
    14.                           ff02:3::202        (refs: 1)
    15.                           ff01:3::1          (refs: 1)
    16.                           ff02:3::2:fba3:61a9(refs: 1)
    17.                           ff02:3::1          (refs: 1)
    18.                           ff02:3::1:ff00:1   (refs: 1)
    19. lo0   16384 localhost     ::1                      0     -     -          0        0     -          0     -
    20.                           ff02:3::202        (refs: 1)
    21.                           ff01:3::1          (refs: 1)
    22.                           ff02:3::2:fba3:61a9(refs: 1)
    23.                           ff02:3::1          (refs: 1)
    24.                           ff02:3::1:ff00:1   (refs: 1)
    25. lo0   16384 your-net      localhost                0     -     -          0       29     -       7.8K     -
    26.                           all-systems.mcast
    27.  
    I'll have to look for and see what's in smb.conf that might let me bind to just the one interface.


    Bill

Share This Page