layer-2 spoofing of switches and AP?

July 10, 2019 14:04
Edited

While trying to assign a static IP to firewalla on my router's DHCP table (ASUS AC88U), I noticed that firewalla's MAC was associated with the IP of other devices (since it relies on spoofing)... This leads me to a few questions:

is it still safe to assign a static IP to firewalla on my router DHCP table?
if firewalla spoof the MAC of my network switch, does it mean that when 2 devices communicate between each others through 2 ports on the same switch the very same traffic is also being forwarded to firewalla, bypassing the switch backplane, causing all the traffic to get recombined like a dummy network hub would do?
In the same logic wouldn't it make sense to instruct firewalla to ignore plain switches and AP since they are "mostly passive" devices?
if firewalla relies on spoofing it will compete with legitimate ARP registration from other devices, as a result it will keep losing some packets from time to time as the MAC table on the switches will keep getting updated by legitimate clients as well, isn't it?
In fact as a follow-up from (2) above, if I were to setup an evil kali on my own LAN using the very same spoofing technology, wouldn't this likely take over all the traffic out of the firewalla (assuming the H/W of the evildoer is significantly faster) and render the device useless?
Ideally, I would like firewalla to only inspect/intercept traffic between my devices and my ISP and ignore inter-LAN-only traffic... wouldn't it make more sense to setup the firewalla as the internet router entry point? that way it only sees relevant traffic?
since firewalla doesn't understand VLANs, is there a way to configure a network switch using VLANs such that:

router's lan port is a member of the real-LAN VLAN & inspection VLAN
firewalla is a member of the inspection VLAN only
other devices are members of the real-LAN VLAN only
would that allow firewalla to only inspect the outgoing traffic and not adversely impact LAN-only traffic.

Comments

5 comments

Firewalla

July 10, 2019 17:10
1. is it still safe to assign a static IP to firewalla on my router DHCP table?
Depends on the router, most should be fine. The best is to go inside firewalla and set it there. The new app should allow you to do that. advanced->network settings->edit Please only do this if you know what you are doing.
1. if firewalla spoof the MAC of my network switch, does it mean that when 2 devices communicate between each other through 2 ports on the same switch the very same traffic is also being forwarded to firewalla, bypassing the switch backplane, causing all the traffic to get recombined like a dummy network hub would do?
No, spoofing is for the WAN traffic. Local traffic is not touched.
1. In the same logic wouldn't it make sense to instruct firewalla to ignore plain switches and AP since they are "mostly passive" devices?
AP and Switches' IP addresses are for manageability only. We still do recommend not to monitor them, the reason is some switch's IP implementation ... really suck ..
1. if firewalla relies on spoofing it will compete with legitimate ARP registration from other devices, as a result, it will keep losing some packets from time to time as the MAC table on the switches will keep getting updated by legitimate clients as well, isn't it?
Yes, from time to time there will be something like this, just a tiny bit. Our software will try to fix this. This is the reason for DHCP mode, it is far cleaner. But it will require some maintenance.
1. In fact as a follow-up from (2) above, if I were to set up an evil kali on my own LAN using the very same spoofing technology, wouldn't this likely take over all the traffic out of the firewalla (assuming the H/W of the evildoer is significantly faster) and render the device useless?
It will create a loop ... and your network will go bye-bye. You don't need an evil Kali, just buy another Firewalla and put them together :)
1. Ideally, I would like firewalla to only inspect/intercept traffic between my devices and my ISP and ignore inter-LAN-only traffic... wouldn't it make more sense to setup the firewalla as the internet router entry point? that way it only sees relevant traffic?
It is exactly what firewalla is doing today.
1. since firewalla doesn't understand VLANs, is there a way to configure a network switch using VLANs such that:
- router's lan port is a member of the real-LAN VLAN & inspection VLAN
- firewalla is a member of the inspection VLAN only
- other devices are members of the real-LAN VLAN only
- would that allow firewalla to only inspect the outgoing traffic and not adversely impact LAN-only traffic.
Never tried this setup ... since firewalla will route traffic, anything sends to it will spit out ... so you may have two copies ... Why not give it a try and let us know :)
0

Comment actions Permalink
FF

July 10, 2019 22:22
ok, so, first and foremost, thanks to taking the time from replying because I have tons of questions... unfortunately I don't know as much about networks that I would like so pardon my ignorance...

regarding point #2

"if firewalla spoof the MAC of my network switch, does it mean that when 2 devices communicate between each other through 2 ports on the same switch the very same traffic is also being forwarded to firewalla, bypassing the switch backplane, causing all the traffic to get recombined like a dummy network hub would do?

No, spoofing is for the WAN traffic. Local traffic is not touched. "

I am curious on how you achieve this. I would think that if Alice wants to connects to Bob and if Alice is on my router's wifi, while Bob is connected on my router port #4 but firewalla tricks my router in associating the IP of Bob to its own MAC address on port #3, all the packets sent from Alice to Bob would get sent by the router's internal switch to port #3(firewalla) instead of port #4(Bob).

However, I can confirm that's not the case by running a tcpdump on firewalla, testing with port 22(ssh). In fact I see that ssh sessions from Alice to my local router do indeed transit through firewalla but the same traffic from ALICE to BOB don't seem to be visible by firewalla...

firewalla does intercept traffic from Alice to the router
from:alice ssh router
```
pi@Firewalla:~ (Firewalla) $ sudo tcpdump -vv host 192.168.0.197 and port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:04:02.030082 IP (tos 0x0, ttl 128, id 8133, offset 0, flags [DF], proto TCP (6), length 104)
ALICE.XXXX.mooo.com.58337 > router.asus.com.ssh: Flags [P.], cksum 0xaba7 (correct), seq 150327505:150327569, ack 1983303541, win 256, length 64
18:04:02.048223 IP (tos 0x10, ttl 63, id 27694, offset 0, flags [DF], proto TCP (6), length 120)
```
firewalla doesn't see the traffic from Alice to Bob:
from:alice ssh bob
```
pi@Firewalla:~ (Firewalla) $ sudo tcpdump -vv host 192.168.0.197 and port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
```
0

Comment actions Permalink
Topher

July 16, 2019 21:36
Is there any use-case or benefit of hooking 2 Firewalla's together?
0

Comment actions Permalink
Firewalla

July 17, 2019 00:26
@FF

Traffic to the router is a special case, the reason is that's the WAN connection. So your experiment is perfectly correct. Alice will always see the router as Firewalla, so the ssh session to it will be intercepted.
0

Comment actions Permalink
Firewalla

July 17, 2019 00:27
@Topher, hooking two together is Client->Server VPN, or likely later site to site VPN. We have a few use cases where our customer lives in the US but works abroad. They use Firewalla to Firewalla to watch netflix and a few other things.
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

firewalla does intercept traffic from Alice to the routerfrom:alice ssh router

firewalla doesn't see the traffic from Alice to Bob: from:alice ssh bob

Didn't find what you were looking for?

firewalla does intercept traffic from Alice to the router
from:alice ssh router

firewalla doesn't see the traffic from Alice to Bob:
from:alice ssh bob