how to enable antispoof check (reverse path check) ?

P

panicos

Dabbler
Joined
May 26, 2013
Messages
29
Hello guys,

I have the latest Freenas installed on a HP Microserver N54L with multiple network interfaces on it:
-one mgmt physical interface with IP on it, but no gateway
-one production lagg interface (made of 4 physical interfaces) with an IP and a gateway set on it

Problem: when i ping the mgmt interface from another external subnet, the response goes out through the lagg interface ( because that one has the default route) and thus it appears the route check path is not enabled by default here. I know that from some linux distributions (like Ubuntu), the reverse patch check filter is enabled by default (i tested and confirmed this), but it appears for Freebsd it is not (judging by its behaviour).
I want to enable the reverse path check filter on the freenas machine as well. Does anyone know how to do it?

Thank you
 
Yorick

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
> when i ping the mgmt interface from another external subnet

This suggests that you have a L3 IP on the switch that hosts the mgmt subnet. I'd remove this, and make it 100% L2. The intent is to only be able to manage from the mgmt VLAN/subnet, right?

This way, an external packet arriving at the switch on VLAN <N> for <mgmt-subnet> won't be forwarded to <mgmt-subnet>, because the switch has no L3 in that subnet.

This becomes more difficult if you have a setup where some devices in mgmt-subnet are meant to communicate to world through that switch, just FreeNAS isn't. Then you need the L3, and over to other people to speak to what can be done in FreeNAS.
 
P

panicos

Dabbler
Joined
May 26, 2013
Messages
29

This suggests that you have a L3 IP on the switch that hosts the mgmt subnet. --> correct. it is a firewall. (the switch has a L3 in mgmt vlan, but not handling the routing, as it is the only SVI it has).

The intent is to only be able to manage from the mgmt VLAN/subnet, right? --> yes

This becomes more difficult if you have a setup where some devices in mgmt-subnet are meant to communicate to world through that switch, just FreeNAS isn't. --> i want to use the mgmt network only for...mgmt indeed, and also i have in the network some vmware hosts that share the same mgmt vlan for management and also for vmotion.

All the devices in the network have an IP in mgmt VLAN. I have a firewall which has layer 3 interfaces in all the subnets that i have (including management). If i come from LAN , reaching the firewall, and go to mgmt vlan, the firewall will route this to the freenas and the freenas will rout it back through another interface (not the mgmt because it has no route there). So how can i stop this? If i remove the layer3 interface of the mgmt vlan from the firewall, than how can i reach the mgmt vlan from any other subnet?

I hope i explained ok.
 
Yorick

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
> If i remove the layer3 interface of the mgmt vlan from the firewall, than how can i reach the mgmt vlan from any other subnet

You cannot. If you want the mgmt vlan to be reached from other subnets, then your intent is not to manage only from the mgmt VLAN. Your intent is to manage from a list of trusted subnets, routing through your firewall.

You could solve this by:
- Default route on production LAG
- Specific routes on mgmt interface. For example, if mgmt subnet is 172.16.0.0/24, FreeNAS mgmt interface is 172.16.0.10, and the firewall on that subnet is 172.16.0.1, and you want to reach 172.16.0.10 from 10.10.1.0/24, then on FreeNAS, you'd need a static route for 10.10.1.0/24 with next-hop of 172.16.0.1. That way, traffic is routed back out through the mgmt interface.

You'd add these specific routes under Network -> Static Routes.
 
P

panicos

Dabbler
Joined
May 26, 2013
Messages
29
- Specific routes on mgmt interface. For example, if mgmt subnet is 172.16.0.0/24, FreeNAS mgmt interface is 172.16.0.10, and the firewall on that subnet is 172.16.0.1, and you want to reach 172.16.0.10 from 10.10.1.0/24, then on FreeNAS, you'd need a static route for 10.10.1.0/24 with next-hop of 172.16.0.1. That way, traffic is routed back out through the mgmt interface.

i understand now. so the only way is to remove the mgmt vlan gateway from all the hosts within this vlan and to add static routes on each one of them for the interesting source traffic(subnet) i want to reach them from.
Also, on the firewall (which is the gateway of all subnets) i should just block the access to the mgmt vlan with firewall rules, reagarding source traffic from particular subnets which have the gateway on the firewall.
Correct?
 
Yorick

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
Sounds right to me. Basic networking: More specific routes are used over less specific ones; and firewalls are used to control who is allowed to access what.
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "how to enable antispoof check (reverse path check) ?"

Similar threads

D
  • Locked
How to enable flow control on LACP interface?
Replies
0
Views
5K
Dmitry Nevozhay
D
H
  • Locked
How to enable jumbo frames on LACP ?
Replies
3
Views
8K
HeinzApfel
H
H
Strange network behaviour and LAGG question
Replies
5
Views
2K
HeMaN68
H
P
Can neither connect Web Interface nor start NETCLI after upgrade to 11.3
Replies
1
Views
2K
Nuubo
N
L
  • Locked
vlans guidance?
Replies
0
Views
2K
louis-m
L
Top