Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 5 subscribers
  • Views 2488 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Interesting Hardware Bug

FrankFiene

I wanted to install a HA device additional to the existing SG230 in one of our subsidiaries.

We had networking problems so I did a tcpdump on several interfaces and so internal traffic on outside interface and vice versa.

Result is (and this is a no-go for a Firewall of course!):

SG230 switched off and without power plugged in connected on Port eth0 to a switch, connecting a client on port eth1: client is connected to the network on the switch.

You see not also the hardware bug but the problem with eth0 and eth1 being the default interfaces for Internet and internal network.

Somebody else with this behaviour?

Waiting for RMA.

I guess it is a hardware problem of the Ethernet Chips, because the are serving two interfaces usually.

The same I see with eth2 and eth3.



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    OK, that is something.

    I am working in IT-Security since 30 years but I have never seen this until today.

    Default settings of any OS, espacially for Security systems, should be as secure as possible.

    We don't have Security or networking specialists in every subsidiary.

  • 0 in reply to LuCar Toni

    Isn't this really designed more for an end-to-end feature, such as office to office connection that doesn't house external traffic?  I can see this as the only real option to use this, so long as its ultimately secured behind a DMZ, other existing firewall, etc., but not as an endpoint prior to external connectivity.  Gaining internet traffic off of this in a bypass mode capacity negates any security if I understand this setup correctly.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    What do you mean with "end-to-end" connection?

    But for the rest I would agree!

  • 0 in reply to FrankFiene

    And even for the behind a DMZ use case you mentioned, this must not be the default setting!

  • 0 in reply to FrankFiene

    I'm referring to something like MPLS, and the provider can set it up so you have secure traffic from 'end to end' but internet flow traffic goes through a designated office.  

    And, I never disagreed with you on it being a bad decision to have on as a default setting.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    OK, I don't want to trust a MPLS provider as well. So even then there should be no bypass.

Unfiltered HTML