Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Apr 2020
    Posts
    11

    Default UT in bridge mode; strange pcaps

    Hi-

    I have UT configured in bridge mode:
    Screen Shot 2020-05-22 at 4.29.04 PM.png

    Note that the MAC Address of br.eth0 is 46:f6 and in the ARP table, the MAC Address of my router (10.12.17.1) is d3:17 (this is correct).

    In wireshark, I look at UPnP traffic between a client on the network (10.12.17.72) and the router, and see the following:

    Outgoing traffic, the src & dst mac addresses appear correct:
    Screen Shot 2020-05-22 at 4.39.32 PM.png

    But on the way back in, the MAC Address of the source is that of br.eth0 (46:f6) on UT, not that of the router (d3:17).
    Screen Shot 2020-05-22 at 4.40.49 PM.png

    Is this as expected? Why isn't the src mac d3:17, or that of the router?

    Thanks for your help.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    some ramblings
    Is NAT turned on in the External Interface of NGFW?

    A sketch of your network layout might be helpful.

    Where is 10.12.17.72? is there a switch?

    Since it isn't in the ARP table, it can't really be a NGFW thing.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,494

    Default

    When you bridge an ethernet frame, the mac addresses reflect the locally visible source. You're splitting layer 2...

    So... devices behind Untangle will see Untangle's MAC address for any IP beyond Untangle... and devices on the otherside of the bridge will see again, the far side Untangle MAC for all IP's beyond Untangle.

    On layer 2, you're going to see the near side of the bridge every time... that's how bridges work.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    And, the one thing I forgot to get to: where are we sniffing this traffic???

  5. #5
    Newbie
    Join Date
    Apr 2020
    Posts
    11

    Default

    Quote Originally Posted by Jim.Alles View Post
    And, the one thing I forgot to get to: where are we sniffing this traffic???
    Here's what things look like....

    I've got an old PC plugged into a port on the switch that is mirroring traffic from the UT box:

    Network diagram.png

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,494

    Default

    Everything on that Unifi switch will see Untnagle's MAC address as responsible for all IP addresses beyond it, which means your EdgeMax will appear with Untangle's MAC on that switch.

    Because again, that's how bridges work.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Apr 2020
    Posts
    11

    Default

    Quote Originally Posted by sky-knight View Post
    Everything on that Unifi switch will see Untnagle's MAC address as responsible for all IP addresses beyond it, which means your EdgeMax will appear with Untangle's MAC on that switch.

    Because again, that's how bridges work.
    I'm with you now. Thanks again for confirming.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2