NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

ChrisCopern's avatar
ChrisCopern
Follower
Apr 04, 2019

M4300 - Gateway routed traffic detected as spoofed

Hi,

 

I'm reconfiguring my network to use VLAN's, with the M4300 as the L3 core switch handling all of the VLAN routing for performance purposes.

 

The routing is overall working as expected, however I'm running into an issue where traffic destined to the internet and routed through the M4300's default gateway is being dropped as a spoofing attack. The Watchguard Firebox sees traffic trom the M4300's current management IP (10.0.1.2 VLAN1), however the traffic appears to originate from a network associated with a different VLAN.

 

For example - traffic from a client at 10.100.20.200 (VLAN20) destined to 1.1.1.1 routes through the M4300's default gateway (10.0.1.1 VLAN1) to the Watchguard Firewall, and is dropped as spoofed traffic as it's expecting traffic from the 10.0.1.0/24 range only.

 

I have been able to route successfully to the internet by disabling Spoofing protection in my Watchguard Firewall, however I suspect that should not be necessary if properly configured.

 

Is there a recommended approach to handle this situation? Is there perhaps a method to route each VLAN's traffic through a different next-hop on the M4300 to a specific IP on the Firebox? Such as:

VLAN10 - 10.100.10.0/24 => 10.100.10.1

VLAN20 - 10.100.20.0/24 => 10.100.20.1

 

I've tried adding new Static Routes and have been unable to have different next-hops so far.

 

The Watchguard is currently VLAN-aware, and has the same VLAN's as the M4300. I was able to remove VLAN's from the Firebox and add a secondary IP on each network used by the VLAN's (e.g 10.100.10.1, 10.100.20.1)  which routed traffic correctly and did not trigger spoofing protection.

I'm not sure if there's a benefit to having the Firebox being VLAN aware or not, since the routing should all occur on the M4300 regardless. I expect this might be the recommended approach.

 

Any help would be appreciated, let me know if there's any more information I can provide. I'm attaching a simplified diagram of the network, as well as the learned routes from my M4300.

 

Regards,

Chris.

 

1 Reply

  • Retired_Member's avatar
    Retired_Member
    Jul 15, 2019

    Hi ChrisCopern 

     

    Welcome to community!

     

    In your case, I suggest you just let switch work on Layer 2, there is no necessary working as L3 VLAN routing.

    As on the Watchguard Firewall, you have created VLAN 1,10,20,30... with IP address, so on Switch, you only need create L2 VLAN, just keep VLAN1 IP(10.0.1.2) for management, and on clients side, you need point default gateway to Watchguard Firewall.

    Then I think it will work normally and more efficient.

     

    Hope it helps!

     

    Regards,

    EricZ

     

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More