IP Spoofing problem

[bhealy]

Hi,

I have an 8.0.4 release x64 running with dual NICs, one dedicated for iSCSI communication with two servers on a closed 10.10.10.x network (no gateway) and the other NIC on a user LAN 192.168.10.x for Windows shares, management, etc. I've got Active Directory setup and working with a DC on the 192.168.10.x LAN. The problem is my firewall keeps tripping with spoof alerts that the 10.10.10.2 address of the FreeNAS is showing up on the 192.168.10.x LAN with the MAC address of the FreeNAS 192.168.10.x interface. The traffic is NetBIOS port 137 going to a backup DC on another LAN!

Here's the network summary:

Name
IPv4 Address
bce0
10.10.10.2/24
bce1
192.168.10.112/24
Nameserver
192.168.10.100
192.168.10.101

Default route
192.168.10.1

And the spoof message from my Sonicwall which is 192.168.10.1 is:
04/20/2012 09:52:09.736 - Alert - Intrusion Prevention - IP spoof dropped - 10.10.10.2, 137, X0 - 192.168.3.242, 137, X2 - MAC address: 00:18:8b:3a:36:a9

I have confirmed with ifconfig that the MAC address shown is infact that of the 192.168.10.x NIC of the FreeNAS.


So,
1) Why would FreeNAS be trying to get to my backup DC on another LAN? The DC configured for Active Directory is on the local 192.168.10.x LAN.
2) How do I stop it from trying to do it from the 10.10.10.x interface and use the 192.168.10.x instead if it really does need to talk to the backup DC? (there is more than one DC on the local 192.168.10.x LAN!)

I don't know if this is a new problem, I've been using FreeNAS for a while, and I've only just started seeing the Alerts since upgrading to a newer Sonicwall model.

Any suggestions?

Thanks,
Bill

[bhealy]

Am I missing something obvious and that's why no responses or is this problem which no one has an answer for?

Bill

[paleoN]

What exactly is physically plugged into what? You say 10.10.10.x is a closed network. Is this on a different switch, are those ports set for a separate vlan or what exactly?

Is 192.168.3.242 a valid destination? If so, perhaps a complete network layout would help.

Also, what does the routing table on your FreeNAS box look like?

Code:

 netstat -rn

[bhealy]

The 10.10.10.x is on it's own VLAN with no gateway. The VLAN is configured in the switch for the 3 ports in use, they are Untagged, and I've denied all other ports on the switch membership to the VLAN. There are 2 Windows servers also connected to the same VLAN that use iSCSI to the FreeNAS.

The 192.168.10.x network gateways through 192.168.10.1 which is my firewall/router that is alerting to the IP Spoofing. The 192.168.10.x network has 3 Domain Controllers, one of which (the primary) is configured in the Active Directory service of FreeNAS.

The backup Domain Controller 192.168.3.242 is reachable from the 192.168.10.x network through the gateway 192.168.10.1, but it's on the other end of a T-1 in another office. Much faster to go to a local DC at 1G than the remote office at 1.5M!

From the spoof alerts I'm getting it looks like it happens every 20 minutes.

Here's the routing table:
netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.10.1 UGS 0 12508844 bce1
10.10.10.0/24 link#1 U 0 1504180423 bce0
10.10.10.2 link#1 UHS 0 29 lo0
127.0.0.1 link#3 UH 0 0 lo0
192.168.10.0/24 link#2 U 0 309581482 bce1
192.168.10.112 link#2 UHS 0 0 lo0

Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%lo0/64 link#3 U lo0
fe80::1%lo0 link#3 UHS lo0
ff01:3::/32 fe80::1%lo0 U lo0
ff02::%lo0/32 fe80::1%lo0 U lo0



And an ifconfig so you can see the MAC addresses:

ifconfig
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:18:8b:3a:36:ab
inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:18:8b:3a:36:a9
inet 192.168.10.112 netmask 0xffffff00 broadcast 192.168.10.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>


As I mentioned before, but I'll summarize, bce0 is the 10.10.10.x network, bce1 is the 192.168.10.x network, but the spoof alerts are showing the 10.10.10.2 address with the MAC address from the bce1 interface on the bce1 LAN (192.168.10.x) hence the spoof. If it wasn't for the fact that it was trying to route through my firewall/router I would never have known there was useless traffic 10.10.10.x on the 192.168.10.x LAN.

Is there anyone else out there with a dual port FreeNAS and Active Directory that can monitor the LAN with the DC's and see if traffic from their other FreeNAS port is showing up on the wrong LAN?

I should mention that Active Directory is working fine, my users show up and authenticate to get into the CIFS shares.

Also of note, I do not have Local Master checked under the CIFS configs.

What would be some reasons that FreeNAS would be trying to talk to my remote backup DC when there are 3 perfectly good DC's on the local LAN?


Thanks for any help you can offer,
Bill

[paleoN]

What AD are you running anyway? I imagine it is, but is the remote DC in its own site in AD?

Is it a different switch that the 10.10.10.x ports are on or is it on the Sonicwall itself? Are there any DNS entries that use the 10.10.10.2 address for the FreeNAS box? Have you tried logging traffic from the 192.168.3.242 to both 10.10.10.2 & 192.168.10.112 to see if the remote DC is starting it?

What are the services that you are running on the FreeNAS box? Did you try binding Samba to only the 192.168.10.112 nic?

What would be some reasons that FreeNAS would be trying to talk to my remote backup DC when there are 3 perfectly good DC's on the local LAN?

Because it's Windows and it does it all the time for no good reason. You can double check DNS to make sure you don't have any stale SRV records that are pointing to the remote DC in the local site.

[bhealy]

The Domain and Forest functional levels are currently Windows 2003, working towards 2008. Yes, the remote DC is in it's own AD site. Also checked DNS and WINS and there are no records anywhere for the FreeNAS's 10.10.10.2 address.

The 10.10.10.x ports of the switch are part of a VLAN with no connection to the Sonicwall. The rest of the ports on the switch are used for the 192.168.10.x LAN which do have a connection to the Sonicwall. At first I thought packets were somehow getting out of the VLAN, but then I realized that the MAC address was that of the 192.168.10.112 port of the FreeNAS.

Services running on the FreeNAS are Active Directory, CIFS, SNMP, SSH and iSCSI.

I captured all traffic to and from the remote DC 192.168.3.242 and it was only communicating with the local DC's now and then.

I didn't see a way in the FreeNAS GUI to bind Samba to only one nic, did I miss it somewhere?

Thanks,
Bill

[paleoN]

ifconfig
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:18:8b:3a:36:ab
inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
media: Ethernet autoselect (1000baseT <full-duplex,master>)

I thought I was onto something with that master option showing up, but I didn't find anything useful. Did you ever have interfaces bonded together? Try running this for additional network info:

Code:

netstat -aibdh

Do me a favor and throw [code] [/code] tags around the output. It will keep the formatting.

I didn't see a way in the FreeNAS GUI to bind Samba to only one nic, did I miss it somewhere?

Nope. I think you can add it to the Auxiliary parameters section though. You can up the logging level and check the samba logs at /var/log/samba if you think it's samba related.

[bhealy]

No, never had the interfaces bonded.

Here's the output

Code:

 netstat -iabh
Name    Mtu Network       Address              Ipkts Ierrs Idrop     Ibytes    Opkts Oerrs     Obytes  Coll
bce0   1500 <Link#1>      00:18:8b:3a:36:ab      61M     0     0        25G      39M     0       139G     0
                          01:00:5e:00:00:01      312                         0
bce0   1500 10.10.10.0    10.10.10.2             61M     -     -        24G     106M     -       138G     -
                          all-systems.mcast
bce1   1500 <Link#2>      00:18:8b:3a:36:a9      15M     0     0        21G     9.0M     0       742M     0
                          01:00:5e:00:00:01   106643                         0
bce1   1500 192.168.10.0  freenas1               15M     -     -        21G     9.1M     -       615M     -
                          all-systems.mcast
lo0   16384 <Link#3>                              29     0     0       7.8K       29     0       7.8K     0
lo0   16384 fe80:3::1     fe80:3::1                0     -     -          0        0     -          0     -
                          ff02:3::202        (refs: 1)
                          ff01:3::1          (refs: 1)
                          ff02:3::2:fba3:61a9(refs: 1)
                          ff02:3::1          (refs: 1)
                          ff02:3::1:ff00:1   (refs: 1)
lo0   16384 localhost     ::1                      0     -     -          0        0     -          0     -
                          ff02:3::202        (refs: 1)
                          ff01:3::1          (refs: 1)
                          ff02:3::2:fba3:61a9(refs: 1)
                          ff02:3::1          (refs: 1)
                          ff02:3::1:ff00:1   (refs: 1)
lo0   16384 your-net      localhost                0     -     -          0       29     -       7.8K     -
                          all-systems.mcast

I'll have to look for and see what's in smb.conf that might let me bind to just the one interface.


Bill