Hi CheckMates,
I wanted to do a cleanup of our current Firewall (R77.30) topology and enable Anti-Spoofing in Prevent mode for all interfaces (yes, it was in Detect mode before...).
I checked all routes and defined the topology based on self created groups for all interfaces containing multiple networks.
The strange thing is that I get Anti-Spoofing logs for outgoing VPN traffic. We have one "company backbone" Interface (eth3) where all traffic to 10.0.0.0/8 is routed and our Internet Interface is eth0. Our Clients are coming from eth4.
In my logs I can see the following:
For every connection I see a Anti-Spoofing entry coming from eth0 and afterwards the correct VPN message coming from eth4. Strangely enough with fw monitor I can see the traffic coming from eth4:i and eth4:I (which is correct) leaving eth3:o and then finally leaving eth0:o:
I was wondering if you have any idea what's wrong with this setup.