I’ve been trying to understand a peculiar behavior in our routing/firewall setup for quite some time now, but don’t really understand what’s going on.
We have a firewall/router appliance that has two external facing interfaces and a number of internal VLANs.
The specific behavior is observed when a client (MAC
f4:f5:d8:d2:f2:4c, IP 10.99.154.254 in this example) on our guest WiFi network VLAN 99 sends a ping echo request to some internet host 22.214.171.124, which we prohibit.
The router sends back an ICMP host unreachable packet from its
vlan99 interface (MAC
00:08:a2:0d:00:70, IP 10.99.0.2) to the client, and at the exact same time we see a martian packet on the external interface
tcpdump shows this:
tcpdump -i vlan99 -vvvvn 'icmp and host 10.99.154.254' 11:59:21.555564 f4:f5:d8:d2:f2:4c > 00:08:a2:0d:00:70, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 10.99.154.254 > 126.96.36.199: ICMP echo request, id 2303, seq 1, length 64 11:59:21.555651 00:08:a2:0d:00:70 > f4:f5:d8:d2:f2:4c, ethertype IPv4 (0x0800), length 126: (tos 0xc0, ttl 64, id 8585, offset 0, flags [none], proto ICMP (1), length 112) 10.99.0.2 > 10.99.154.254: ICMP host 188.8.131.52 unreachable, length 92 (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 10.99.154.254 > 184.108.40.206: ICMP echo request, id 2303, seq 1, length 64
Nothing surprising here, this is the original ping from the client and the resulting ICMP packet going back to the guest client informing them that the host is unreachable.
At the same time, an entry appears in the kernel log:
Feb 21 11:59:21 ganymede kernel: IPv4: martian source 10.99.154.254 from 220.127.116.11, on dev eth-ext1 Feb 21 11:59:21 ganymede kernel: ll header: 00000000: 00 08 a2 0d 00 70 f4 f5 d8 d2 f2 4c 08 00 .....p.....L..
The link layer information shows that this ethernet frame came from the client device to the router’s
vlan99 interface, which makes me wonder why it appears as a martian packet on
eth-ext1 with a source address of 18.104.22.168.
I have failed so far to get a trace of the packet with the martian source, which leaves me wondering if martian source logging also happens on an egress interface, before
tcpdump has a chance to see it?
I’ll gladly provide more information on request (routing tables or the like), and would appreciate any pointers as to what’s going on here.