IP spoofing from untrust interface
Following is the log that I gather from debug log:
****** 4677450.0: <untrust 0="" ethernet0="">packet received ******
ipid = 0(0000), @032b5a30
packet passed sanity check.
ethernet0/0:192.168.0.5/1900->126.96.36.199/1900,17 <root>no session found
flow_first_sanity_check: in <ethernet0 0="">, out <n a="">[ Dest] 9.route 192.168.0.5->0.0.0.0, to bgroup0
packet dropped, drop by spoofing check.
192.168.0.5 is local network machine. Port 1900 is SSDP (system state discovery protocol) and 188.8.131.52 is broadcast address for it.
Looking at the log it seems that traffic is coming from outside with our local machine IP (192.168.0.5) and then going out again (184.108.40.206)….
I am new to Juniper devices…Is there any with explanation and how do I stop it happening?
I will try that…ADSL modem (bridge mode) is connected directly connected to ETH0/0
something similar to
snoop filter ip src-ip 192.168.0.5 dst-ip 220.127.116.11 src-port 1900 dst-port 1900 ip-proto 17 interface eth0/0 direction incoming
should cover it.
Compare the source mac address of the matching packets to the one contained in the arp response received on bgroup0 for the proxy server. You’ll probably need to check the configuration of the device directly connected to eth0/0.
But can you please tell what filter should I be creating to find problem?
Just for more information, <untrust 0="" ethernet0="">is also binded to unumbered tunnel interface. That tunnel interface is used for four different vpns as well.
I found following when using debug command:
****** 4843930.0: <trust bgroup0="">packet received ******
ipid = 21159(52a7), @033e6f30
packet passed sanity check.
bgroup0:192.168.0.5/1900->18.104.22.168/80,6 <root>no session found
flow_first_sanity_check: in <bgroup0>, out <n a="">[ Dest] 9.route 192.168.0.5->0.0.0.0, to bgroup0
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <n a="">search route to (bgroup0, 192.168.0.5->22.214.171.124) in vr trust-vr for vsd-0/flag-0/ifp-null
PBR lookup params: dst-ip: 126.96.36.199, src-ip: 192.168.0.5, dst-port: 80, src-port: 1900, protocol: 6, dscp: 0
[PBR route] 38.route 188.8.131.52->184.108.40.206, to ethernet0/0
routed (x_dst_ip 220.127.116.11) from bgroup0 (bgroup0 in 0) to ethernet0/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 18.104.22.168, port 80, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 123/23/0xd
Permitted by policy 123
dip id = 2, 192.168.0.5/1900->our-public-ip-address/1265
choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 6, name HTTP, nas_id 0, timeout 300sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <ethernet0 0="">existing vector list 313-3db751c.
Session (id:7991) created for first pak 313
route to 22.214.171.124
bypass L2 prepare if, nsp ready.
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 10002800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 126.96.36.199->192.168.0.5) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
[ Dest] 9.route 192.168.0.5->192.168.0.5, to bgroup0
route to 192.168.0.5
arp entry found for 192.168.0.5
ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 7991
adjust tcp mss.
tcp seq check.
Got syn, 192.168.0.5(1900)->188.8.131.52(80), nspflag 0x801801, 0x10002800
post addr xlation: our-public-ip-address->184.108.40.206.
update policy out counter info.
send out through normal path.
flow_ip_send: 52a7:our-public-ip-address->220.127.116.11,6 => ethernet0/0(48) flag 0x0, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 52a7:our-public-ip-address->18.104.22.168,6 => ethernet0/0(48) flag 0x20000, vlan 0
pak has mac
Send to ethernet0/0 (70)
Please note 192.168.0.5 is also a proxy server.
It matters that the destination address is actually multicast, as that type of routing is handled by separate mechanisms. Is it possible that your default route is configured to forward traffic out another interface? You can determine if the 192.168 address is sharing a broadcast domain with your untrust interface by inspecting either the arp entry or enabling snoop (filtering for that specific flow) and reviewing the L2 header.
Sorry Marty….It may sound weird but I can’t disable IP Spoofing and paste configuration file here.
If anyone know why I am receiving packet with Private IP then it will be really appreciated.
marty last edited by
Why is the packet being received on the external interface with a Private IP address.
Dont know what is the topology of your network, but if you want to get rid of this then you might have to disable IP Spoofing from your external Zone.
unset zone “Untrust” screen ip-spoofing
But deal this with precaution.
If you still face an issue paste your ‘get conf’ output here.