Bug #15104
open
Layer 2 experimental Firewall/Rules/Ethernet: new broadcast domain issues
0%
Description
Layer 2 broadcast domain in 23.05.01 would separate compex card from the LAN RJ45 ports. It no longer separates the layer 2 broadcast domains in 23.09.01
Ref: https://forum.netgate.com/topic/184894/ethernet-rules-on-two-networks
23.09.01 requires intra interface communication for layer 2 and in 23.05.01 it did not. I run guest wifi on the compex card(OPT1) so the secure side or LAN now is prone to arp broadcast storms as it no longer has separate broadcast domains.
Both interfaces have NAT access outbound without talking to each other but in 23.09.01 it is now required for the layer 2 to have interface to interface traffic.
Files
Updated by Jonathan Lee 4 months ago
- File Screenshot 2023-12-18 at 9.03.35 PM.png Screenshot 2023-12-18 at 9.03.35 PM.png added
- File Screenshot 2023-12-18 at 9.18.05 PM.png Screenshot 2023-12-18 at 9.18.05 PM.png added
- File Screenshot 2023-12-18 at 9.18.10 PM.png Screenshot 2023-12-18 at 9.18.10 PM.png added
Please see photo. Also when a client has a static entry for the firewall on a secure side "Firewall's LAN" and client uses the Guest wifi for some reason, "Compex card(OTP1)" this client is now being activated with both interfaces and the DHCP servers activate on both server 192.168.1.1 and server 10.0.0.1. It shows both arp entries are activated. Before it separated them, only one arp entry would show, the broadcast domain is now combined on intra-interfaces, keep in mind both have different outbound NAT entries. It would only show one or the other based on what interface was used for that layer 2 address.
This could cause a new arp storm vulnerability. This use to separate the broadcast domain into two, one for each hardware interface.
Is VLAN hopping an issue here now?
KEA is in use.
Updated by Jonathan Lee 4 months ago
I will be moving back to 23.05.01 it's layer 2 abilities were more secure within the broadcast domains.
Updated by Jonathan Lee 4 months ago
Also you can see traffic on the experimental layer 2 firewall rules between the interfaces that is the main concern here in 23.09.05.
Last version 23.05.01 seen in the attached photo the firewall software would never allow intra interface traffic to occur at all, as it would never even attempt to establish any states for the 2 rules seen in photo.
Thanks this is a concern as layer2 traffic is now allowed between interfaces, this could also open up VLAN hopping vulnerabilities.
Updated by Jonathan Lee 4 months ago
Thanks happy holidays. I enjoyed the experimental layer 2 broadcast storm puzzles that took me way back to old CCNA classes in 2002-2005
Updated by Jonathan Lee 4 months ago
- File Screenshot 2024-01-09 at 2.42.23 PM.png Screenshot 2024-01-09 at 2.42.23 PM.png added
- File Screenshot 2024-01-09 at 2.41.20 PM.png Screenshot 2024-01-09 at 2.41.20 PM.png added
https://forum.netgate.com/topic/185443/example-of-layer-2-ethernet-firewall-rules
I was able to get it to work however the rule numbers never change so I do not think they got added when using address over subnet.
Before in 23.05.01 it listed interface and not subnet
Updated by Jonathan Lee 4 months ago
This is what I mean by rule id I use it with my LED script. With the new rules when using them with wlan address they are not moving the rule list down for some reason it stays the same 110 it will normally increment and be 111 or 112 so on. Does use of address over subnet not work with 23.09.01 and if so the normal name was interface and not subnet.