layer-2 spoofing of switches and AP?

Comments

5 comments

  • Avatar
    Firewalla
    1. is it still safe to assign a static IP to firewalla on my router DHCP table?

    Depends on the router, most should be fine.  The best is to go inside firewalla and set it there.  The new app should allow you to do that.  advanced->network settings->edit  Please only do this if you know what you are doing.  

    1. if firewalla spoof the MAC of my network switch, does it mean that when 2 devices communicate between each other through 2 ports on the same switch the very same traffic is also being forwarded to firewalla, bypassing the switch backplane, causing all the traffic to get recombined like a dummy network hub would do?  

    No, spoofing is for the WAN traffic.  Local traffic is not touched. 

    1. In the same logic wouldn't it make sense to instruct firewalla to ignore plain switches and AP since they are "mostly passive" devices? 

    AP and Switches' IP addresses are for manageability only.   We still do recommend not to monitor them, the reason is some switch's IP implementation ... really suck .. 

    1. if firewalla relies on spoofing it will compete with legitimate ARP registration from other devices, as a result, it will keep losing some packets from time to time as the MAC table on the switches will keep getting updated by legitimate clients as well, isn't it? 

    Yes, from time to time there will be something like this, just a tiny bit.  Our software will try to fix this.  This is the reason for DHCP mode, it is far cleaner.  But it will require some maintenance. 

    1. In fact as a follow-up from (2) above, if I were to set up an evil kali on my own LAN using the very same spoofing technology, wouldn't this likely take over all the traffic out of the firewalla (assuming the H/W of the evildoer is significantly faster) and render the device useless?

    It will create a loop ... and your network will go bye-bye.  You don't need an evil Kali, just buy another Firewalla and put them together :)

    1. Ideally, I would like firewalla to only inspect/intercept traffic between my devices and my ISP and ignore inter-LAN-only traffic... wouldn't it make more sense to setup the firewalla as the internet router entry point? that way it only sees relevant traffic?

    It is exactly what firewalla is doing today.

    1. since firewalla doesn't understand VLANs, is there a way to configure a network switch using VLANs such that:
    • router's lan port is a member of the real-LAN VLAN & inspection VLAN
    • firewalla is a member of the inspection VLAN only
    • other devices are members of the real-LAN VLAN only
    • would that allow firewalla to only inspect the outgoing traffic and not adversely impact LAN-only traffic.

    Never tried this setup ... since firewalla will route traffic, anything sends to it will spit out ... so you may have two copies ...  Why not give it a try and let us know :)

  • Avatar
    FF

    ok, so, first and foremost, thanks to taking the time from replying because I have tons of questions... unfortunately I don't know as much about networks that I would like so pardon my ignorance...

    regarding point #2

    "if firewalla spoof the MAC of my network switch, does it mean that when 2 devices communicate between each other through 2 ports on the same switch the very same traffic is also being forwarded to firewalla, bypassing the switch backplane, causing all the traffic to get recombined like a dummy network hub would do?  

    No, spoofing is for the WAN traffic.  Local traffic is not touched. "

    I am curious on how you achieve this. I would think that if Alice wants to connects to Bob and if Alice is on my router's wifi, while Bob is connected on my router port #4 but firewalla tricks my router in  associating the IP of Bob to its own MAC address on port #3, all the packets sent from Alice to Bob would get sent by the router's internal switch to port #3(firewalla) instead of port #4(Bob).

    However, I can confirm that's not the case by running a tcpdump on firewalla, testing with port 22(ssh). In fact I see that ssh sessions from Alice to my local router do indeed transit through firewalla but the same traffic from ALICE to BOB don't seem to be visible by firewalla... 

     

    firewalla does intercept traffic from Alice to the router
    from:alice ssh router

    pi@Firewalla:~ (Firewalla) $ sudo tcpdump -vv host 192.168.0.197 and port 22
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:04:02.030082 IP (tos 0x0, ttl 128, id 8133, offset 0, flags [DF], proto TCP (6), length 104)
    ALICE.XXXX.mooo.com.58337 > router.asus.com.ssh: Flags [P.], cksum 0xaba7 (correct), seq 150327505:150327569, ack 1983303541, win 256, length 64
    18:04:02.048223 IP (tos 0x10, ttl 63, id 27694, offset 0, flags [DF], proto TCP (6), length 120)

     

    firewalla doesn't see the traffic from Alice to Bob: 
    from:alice ssh bob

    pi@Firewalla:~ (Firewalla) $ sudo tcpdump -vv host 192.168.0.197 and port 22
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


     

  • Avatar
    Topher

    Is there any use-case or benefit of hooking 2 Firewalla's together?

  • Avatar
    Firewalla

    @FF

    Traffic to the router is a special case, the reason is that's the WAN connection.   So your experiment is perfectly correct.   Alice will always see the router as Firewalla, so the ssh session to it will be intercepted.     

  • Avatar
    Firewalla

    @Topher,  hooking two together is Client->Server VPN, or likely later site to site VPN.   We have a few use cases where our customer lives in the US but works abroad.  They use Firewalla to Firewalla to watch netflix and a few other things.

Please sign in to leave a comment.

Powered by Zendesk