This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spoofed packets problem

Hello,

i'm having an issue with a UTM where one customer has issues with a provider connecting to their UTM and the FW log blocks the connection with "spoofed packet" detected.

 

so far i've traced the issue and i think it's a subnetting issue, here's the environment:

  • WAN1 connection that has ip(ex): 1.2.3.137/25 gateway .129 that gives us a ip range of 129 to 254.
  • They also have another wan in a completely different ip(call it WAN2), that ip has the published services they need to access.
  • The originating ip from the provider is 1.2.3.188 which falls inside the subnet range for WAN1

 

the firewall log shows spoofed packets from 1.2.3.188 to [WAN2 IP]

from what i can infer, the issue is that the provider is using a IP that corresponds to the WAN1 subnet (but it's not used or declared in UTM), ¿but shouldn't this be normal?, i mean an isp can assign a ip subnet to multiple customers with different ip on the same subnet and they can access eachother no issues, ¿why is this failing here?



This thread was automatically locked due to age.
Parents Reply Children
  • but it's not a subnet either, i get the feeling there has been a misunderstanding on the addresses i gave as example.

     

    WAN2 has a different ip, net, different everything from WAN1 as i stated on the first post.

     

    Alexander, i'm not sure what you mean by "But the interfaces are connected on a layer 2 basis, right? IP network is layer 3.".

    i'll PM you teh addresses but i don't think it's going to be of much use

  • To clarify - the traffic from the provider is incoming on WAN2 with an IP that is in WAN1's subnet?

    The utm would expect any and all traffic in WAN1's subnet to come in on that interface - you have declared to it that WAN1 is the link into that network not WAN2.

     

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • EXACTLY, traffic from the provider is incoming on WAN2 with an IP that is in WAN1's subnet.

    i see, so every address inside certain subnet cannot come from outside that interface from what you tell me (i suspected as much but never came across this issue).

     

    So what i should ask the ISP is for a tighter subnet mask so that external ip falls outside the subnet of WAN1

  • Hola Mast,

    Don't worry about the ISP's subnet being in the Interface definition in the UTM.  Unlike most routers that require the ISP's default gateway to be within the subnet, the UTM does not.

    Please alter your initial post so that it's clear that your definitions don't overlap.  Instead of 1.2.3.x, obfuscate IPs like 181.XX.YY.150, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical.

    What interests me is that the ISP routes the other ISP's subnet directly to you.  They need to correct their routing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA