Spoofed packets problem

Question

Hello, 
 i'm having an issue with a UTM where one customer has issues with a provider connecting to their UTM and the FW log blocks the connection with "spoofed packet" detected. 
 
 so far i've traced the issue and i think it's a subnetting issue, here's the environment: 
 
 WAN1 connection that has ip(ex): 1.2.3.137/25 gateway .129 that gives us a ip range of 129 to 254. 
 They also have another wan in a completely different ip(call it WAN2), that ip has the published services they need to access. 
 The originating ip from the provider is 1.2.3.188 which falls inside the subnet range for WAN1

the firewall log shows spoofed packets from 1.2.3.188 to [WAN2 IP] 
 from what i can infer, the issue is that the provider is using a IP that corresponds to the WAN1 subnet (but it's not used or declared in UTM), &iquest;but shouldn't this be normal?, i mean an isp can assign a ip subnet to multiple customers with different ip on the same subnet and they can access eachother no issues, &iquest;why is this failing here?

RichardP · Answer

To clarify - the traffic from the provider is incoming on WAN2 with an IP that is in WAN1's subnet? 
 The utm would expect any and all traffic in WAN1's subnet to come in on that interface - you have declared to it that WAN1 is the link into that network not WAN2.

BAlfson · Answer

Hola Mast, 
 Don't worry about the ISP's subnet being in the Interface definition in the UTM. Unlike most routers that require the ISP's default gateway to be within the subnet, the UTM does not. 
 Please alter your initial post so that it's clear that your definitions don't overlap. Instead of 1.2.3.x, obfuscate IPs like 181.XX.YY.150, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51. That lets us see immediately which IPs are local and which are identical. 
 What interests me is that the ISP routes the other ISP's subnet directly to you. They need to correct their routing. 
 Cheers - Bob