This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spoofed packets problem

Hello,

i'm having an issue with a UTM where one customer has issues with a provider connecting to their UTM and the FW log blocks the connection with "spoofed packet" detected.

 

so far i've traced the issue and i think it's a subnetting issue, here's the environment:

  • WAN1 connection that has ip(ex): 1.2.3.137/25 gateway .129 that gives us a ip range of 129 to 254.
  • They also have another wan in a completely different ip(call it WAN2), that ip has the published services they need to access.
  • The originating ip from the provider is 1.2.3.188 which falls inside the subnet range for WAN1

 

the firewall log shows spoofed packets from 1.2.3.188 to [WAN2 IP]

from what i can infer, the issue is that the provider is using a IP that corresponds to the WAN1 subnet (but it's not used or declared in UTM), ¿but shouldn't this be normal?, i mean an isp can assign a ip subnet to multiple customers with different ip on the same subnet and they can access eachother no issues, ¿why is this failing here?



This thread was automatically locked due to age.
Parents Reply Children
  • EXACTLY, traffic from the provider is incoming on WAN2 with an IP that is in WAN1's subnet.

    i see, so every address inside certain subnet cannot come from outside that interface from what you tell me (i suspected as much but never came across this issue).

     

    So what i should ask the ISP is for a tighter subnet mask so that external ip falls outside the subnet of WAN1

  • Hola Mast,

    Don't worry about the ISP's subnet being in the Interface definition in the UTM.  Unlike most routers that require the ISP's default gateway to be within the subnet, the UTM does not.

    Please alter your initial post so that it's clear that your definitions don't overlap.  Instead of 1.2.3.x, obfuscate IPs like 181.XX.YY.150, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical.

    What interests me is that the ISP routes the other ISP's subnet directly to you.  They need to correct their routing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA