2

Looked around, can't find a similar issue anywhere...

I have been having some very strange and hard to explain problems on my network lately, and in my efforts to find the cause, I came across an interesting discovery, which I am struggling to understand.

In my network, there is a router/modem which connects wifi devices to the network, and connects the network to the internet - there is only one network: 192.168.178.0 hosted on the router. There is a simple 8 port un-managed switch connected to the router, and on that switch there are 4 servers, each with static IP setup within their os (mostly running Ubuntu Server 14.04)

Each server has iptables setup to drop all except specific host:port:state combinations.

So here is the issue:

Running tcptrack on serverA (192.168.178.19) shows exactly what I'd expect the traffic to be, except I noticed that there were packets being picked up that were addresses to serverB (192.168.178.13). ServerA was correctly bouncing those packets (SYN_SENT only, never established) - but how did the packet get routed there to begin with...

tcptrack image

The blacked out ip is my own external one, but I have seen the issue from another ip too.

So I guess I am asking if this is normal? Or if I have a router problem?

Thanks in advance. Tim

asimovwasright
  • 143
  • 7

1 Answers1

1

So Im assuming your WiFi clients are being served and allowed to be served by the servers.

If there is a public address hitting a server that it shouldnt, I suggest there is a port forward or a NAT rule on your router that points any traffic on an outside port of your router to the IP and port of that server.

If the public IP always hits the same internal server then this sounds like the problem.

EDIT: Due to some back and fore, OP found it was a CAM table failure

boopzz
  • 54
  • 3
  • The wifi clients are blocked from all servers by the iptables rules. The router forwards in the following way: *:80 -> 192.168.178.13 There are other rules, but not concerning either server in question – asimovwasright Aug 13 '15 at 09:26
  • In other words, no, there is no port forward to serverA (192.168.178.19), but there is one to serverB (192.168.178.13) - so is the router forwarding incorrectly? I should also mention that the connection to ServerB is perfectly fine from in and out of the local network. – asimovwasright Aug 13 '15 at 09:30
  • sounds like the router is forwarding correctly. Its received a connection to port 80 on its interface and forwarded (NAT) it to ServerB. Unless the router is setup to NAT the outside addresses, you will see public addresses connecting to that server – boopzz Aug 13 '15 at 14:26
  • Yes, this is what I don't understand. The router is clearly forwarding correctly to the web server 192.168.178.13, since the website is available from outside the network, but why would a packet from outside the network over port 80 be sent to 192.168.178.19 but still clearly addressed to 192.168.178.13... – asimovwasright Aug 13 '15 at 15:06
  • 1
    Are you positive the "switch" is a switch and not a hub? This is Layer 2, either the switch doesnt have the MAC of Server B in its CAM table and so broadcasts it, or the CAM table is full (unlikely, can be filled with a network attack) and so it broadcasts anyway. Do you see similar connections on Server B? – boopzz Aug 13 '15 at 15:14
  • Yes. This is exactly on the lines I was thinking. It is definitely a switch, not a hub. **TP-LINK TL-SG108E 8-Port Gigabit Easy Smart Switch** But yes, perhaps the switch is not storing mac addresses correctly, or losing them or something, and so by nature it has to broadcast now and then. How can I verify this? Is there any way to manually flush the switch memory? – asimovwasright Aug 13 '15 at 15:39
  • Looking at the switch now, I could probably press the button labelled "reset" hahahha But could there be any recurring reason for this problem... – asimovwasright Aug 13 '15 at 16:15
  • Very hard to diagnose with an unmanaged switch. Have you another switch which is definitely a switch, like a small 8 port that you could put between the router/switch device and your servers? – boopzz Aug 14 '15 at 08:19
  • Yes, I have a 24 port managed switch that I will replace the 8 port un-managed with. Thanks for your help though. – asimovwasright Aug 14 '15 at 08:38
  • It was a switch cam table fail. If you could adjust that in your answer I will mark it correct. Thanks for the help! – asimovwasright Aug 20 '15 at 07:04
  • No worries dude, glad to help – boopzz Aug 20 '15 at 19:07