This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Interesting Hardware Bug

I wanted to install a HA device additional to the existing SG230 in one of our subsidiaries.

We had networking problems so I did a tcpdump on several interfaces and so internal traffic on outside interface and vice versa.

Result is (and this is a no-go for a Firewall of course!):

SG230 switched off and without power plugged in connected on Port eth0 to a switch, connecting a client on port eth1: client is connected to the network on the switch.

You see not also the hardware bug but the problem with eth0 and eth1 being the default interfaces for Internet and internal network.

Somebody else with this behaviour?

Waiting for RMA.

I guess it is a hardware problem of the Ethernet Chips, because the are serving two interfaces usually.

The same I see with eth2 and eth3.



This thread was automatically locked due to age.
  • OK, that is something.

    I am working in IT-Security since 30 years but I have never seen this until today.

    Default settings of any OS, espacially for Security systems, should be as secure as possible.

    We don't have Security or networking specialists in every subsidiary.

  • Isn't this really designed more for an end-to-end feature, such as office to office connection that doesn't house external traffic?  I can see this as the only real option to use this, so long as its ultimately secured behind a DMZ, other existing firewall, etc., but not as an endpoint prior to external connectivity.  Gaining internet traffic off of this in a bypass mode capacity negates any security if I understand this setup correctly.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • What do you mean with "end-to-end" connection?

    But for the rest I would agree!

  • And even for the behind a DMZ use case you mentioned, this must not be the default setting!

  • I'm referring to something like MPLS, and the provider can set it up so you have secure traffic from 'end to end' but internet flow traffic goes through a designated office.  

    And, I never disagreed with you on it being a bad decision to have on as a default setting.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • OK, I don't want to trust a MPLS provider as well. So even then there should be no bypass.