This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fmalfanti
Explorer
‎2020-11-10 01:15 AM

Problem with MAC address on the wrong interface

Hi,

I've a problem with udp packets (dns queries). I'm testing in a simple configuration.

interface eth4 external,  MAC address 00:1c:7f:32:04:21

corrisponding external router interface, MAC Address c4:7d:4f:d6:55:e1

internal interface eth7,  MAC address 00:1c:7f:32:04:1e

internal client IP Address xxx.xxx.xxx.107, MAC Address 00:0c:29:7f:e1:78

when I do a dns query on 8.8.8.8 I see:

---------------------------------------------

> tcpdump -n -e -i eth7 host 8.8.8.8 and port 53 (INTERNAL INTERFACE)

10:09:34.756268 00:0c:29:7f:e1:78 > 00:1c:7f:32:04:1e, ethertype IPv4 (0x0800), length 70: xxx.xxx.xxx.107.40518 > 8.8.8.8.domain: 30244 [1au] NS? . (28)

---------------------------------------------

tcpdump -n -e -i eth4 host 8.8.8.8 and port 53 (EXTERNAL INTERFACE)

10:09:34.756527 00:1c:7f:32:04:21 > c4:7d:4f:d6:55:e1, ethertype IPv4 (0x0800), length 70: xxx.xxx.xxx.107.40518 > 8.8.8.8.domain: 30244 [1au] NS? . (28)

-------------------------------------------------

and everything is OK

Problems start with the answer:

---------------------------------------------

tcpdump -n -e -i eth4 host 8.8.8.8 and port 53 (EXTERNAL INTERFACE)

10:09:34.766040 c4:7d:4f:d6:55:e1 > 00:1c:7f:32:04:21, ethertype IPv4 (0x0800), length 567: 8.8.8.8.domain > xxx.xxx.xxx.107.40518: 30244$ 14/0/1 NS j.root-servers.net., NS k.root-servers.net., NS b.root-servers.net., NS i.root-servers.net., NS c.root-servers.net., NS g.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS h.root-servers.net., NS a.root-servers.net., NS m.root-servers.net., NS l.root-servers.net., RRSIG (525)

OK, is external

----------------

BUT I SEE THE SAME MAC ADDRESS ON THE INTERNAL INTERFACE

> tcpdump -n -e -i eth7 host 8.8.8.8 and port 53 (INTERNAL INTERFACE)

10:09:34.766053 00:1c:7f:32:04:21 > c4:7d:4f:d6:55:e1, ethertype IPv4 (0x0800), length 567: 8.8.8.8.domain > xxx.xxx.xxx.107.40518: 30244$ 14/0/1 NS j.root-servers.net., NS k.root-servers.net., NS b.root-servers.net., NS i.root-servers.net., NS c.root-servers.net., NS g.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS h.root-servers.net., NS a.root-servers.net., NS m.root-servers.net., NS l.root-servers.net., RRSIG (525)

HERE MAC ADDRESS ARE WRONG 

then the internal client do a new request

10:09:39.756179 00:0c:29:7f:e1:78 > 00:1c:7f:32:04:1e, ethertype IPv4 (0x0800), length 70: xxx.xxx.xxx.107.52567 > 8.8.8.8.domain: 39751 [1au] NS? . (28)

and MAC ADDRESS in answer are correct

10:09:39.766554 00:1c:7f:32:04:1e > 00:0c:29:7f:e1:78, ethertype IPv4 (0x0800), length 567: 8.8.8.8.domain > 80.86.52.107.52567: 39751$ 14/0/1 NS a.root-servers.net., NS b.root-servers.net., NS c.root-servers.net., NS d.root-servers.net., NS e.root-servers.net., NS f.root-servers.net., NS g.root-servers.net., NS h.root-servers.net., NS i.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS l.root-servers.net., NS m.root-servers.net., RRSIG (525)

and the client receive the answer.

No proxy arp, no cluster

ANY IDEA ? 

fabrizio

 

0 Kudos
5 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events