× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

M4300 - Routed traffic appears spoofed

ChrisCopern
Follower
Follower
‎2019-04-05 06:15 AM
‎2019-04-05 06:15 AM

M4300 - Routed traffic appears spoofed

Hi,

 

I'm reconfiguring my network to use VLAN's, with the M4300 as the L3 core switch handling all of the VLAN routing for performance purposes.

 

The routing is overall working as expected, however I'm running into an issue where traffic destined to the internet and routed through the M4300's default gateway is being dropped as a spoofing attack. The Watchguard Firebox sees traffic trom the M4300's current management IP (10.0.1.2 VLAN1), however the traffic appears to originate from a network associated with a different VLAN.

 

For example - traffic from a client at 10.100.20.200 (VLAN20) destined to 1.1.1.1 routes through the M4300's default gateway (10.0.1.1 VLAN1) to the Watchguard Firewall, and is dropped as spoofed traffic as it's expecting traffic from the 10.0.1.0/24 range only.

 

I have been able to route successfully to the internet by disabling Spoofing protection in my Watchguard Firewall, however I suspect that should not be necessary if properly configured.

 

Is there a recommended approach to handle this situation? Is there perhaps a method to route each VLAN's traffic through a different next-hop on the M4300 to a specific IP on the Firebox? Such as:

VLAN10 - 10.100.10.0/24 => 10.100.10.1

VLAN20 - 10.100.20.0/24 => 10.100.20.1

 

I've tried adding new Static Routes and have been unable to have different next-hops so far.

 

The Watchguard is currently VLAN-aware, and has the same VLAN's as the M4300. I was able to remove VLAN's from the Firebox and add a secondary IP on each network used by the VLAN's (e.g 10.100.10.1, 10.100.20.1)  which routed traffic correctly and did not trigger spoofing protection.

I'm not sure if there's a benefit to having the Firebox being VLAN aware or not, since the routing should all occur on the M4300 regardless. I expect this might be the recommended approach.

 

Any help would be appreciated, let me know if there's any more information I can provide. I'm attaching a simplified diagram of the network, as well as the learned routes from my M4300.

 

Regards,

Chris.

 

simple_network_layout.jpgm4300_learned_routes.png

Model: XSM4324S|M4300-12X12F - Stackable Managed Switch with 24x10G including 12x10GBASE-T and 12xSFP+ Layer 3
Message 1 of 2
0 Kudos
Reply
schumaku
Guru Guru
Guru
‎2019-04-05 08:06 AM
‎2019-04-05 08:06 AM

Re: M4300 - Routed traffic appears spoofed

By rule of thumb, the Watchguard does report spoofed because it does see subnet addresses from an address/subnet already configured locally on the security appliance, coming in on a different subnet, too.

Message 2 of 2
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 1 reply
  • ‎2019-04-05 06:15 AM
  • 659 views
  • 0 kudos
  • 2 in conversation
Announcements