So, I was having a look through the router's syslog and noticed something odd. Every 30 seconds, the log was being spammed with 22 identical entries saying:

[IP Spoofing Defense]Block packet from WAN with source IP: 192.168.254.252

Initially, these entries were timestamped at :15 and :45 seconds past the minute. However, after a reboot, the timestamps changed to :27 and :57 seconds. Therefore, I surmised that the router itself must be the source of the blocked packets, despite the log entries saying they came from the WAN. I mean, if something out on the internet was causing this, why would the timestamps change after a router reboot?

It then occurred to me that the 192.168.254.252 IP address falls within the the 192.168.254.1/24 range configured on the router's DMZ port by default.

As a test, I decided to change the DMZ range to 192.168.222.1/24, expecting to see the syslog entries reflect the change.

However, what actually happened was, the log entries went away entirely! Changing the DMZ range has apparently stopped the Spoofing Defense being triggered at all.

What on earth could possibly have been going on here?

There's nothing actually connected to the DMZ port and there are no DMZ hosts configured, so I'm at a loss to explain this...

Just thinking aloud.... could your WAN link also be using addresses in the 192.168.254.x range? (or could they be HA packets on the WAN interface? HSRP on the internet router(s)).

If legitimate communications were taking place on the wan interface segment using those addresses, but the firewall also had a the same addresses configured on the DMZ, then it might baulk at seeing addresses it thought of as 'inside' on WAN segment as well. Renumbering the DMZ probably has not stopped the packets being presented to the WAN interface... It's merely stopped the 3220 from worrying about them being 'inside' addresses coming from the 'outside'

Well this is our network:



Our ISP set up the two Cisco routers for HSRP failover with IP address preservation, so WAN1 and WAN2 on the DrayTek are configured with the same public IP addresses and the gateway for both is the HSRP virtual IP address. (The DrayTek only brings up WAN2 if WAN1 goes down).

The Hitron router is unable to operate in modem-only mode with a static IP address, so it's doing NAT, which means we've had to configure WAN3 with a private IP address of 192.168.0.201 and have put that in the Hitron's DMZ.

To the best of my knowledge nothing is using addresses in the 192.168.254.x range, but I can't speak for how our ISP has configured the Ciscos. Surely though, if anything was going on there, the timestamps of the syslog entries wouldn't have changed after rebooting the DrayTek?

I can only talk from my networking experience (as opposed to configuring the HSRP, that way, through a 3220). Maybe somebody else can advise on the feasibility of that config, I've always aggregated the feed from the two routers outside the firewall. Your way does potentially get around a single point of failure though - the wan link into the firewall.

I can see how the time stamp might have changed... Consider that the reboot temporarily BREAKS the path for the HSRP packets between the routers. The routers will start freaking out (tech term!) and are when their heartbeat chatter stabilises again, I thinks it's unlikely it would be in step with its previous heartbeat cadence.

My money is still on you just happening to use the same range as the ISP used for the HSRP config.... Could you ask them? or request a dump of the Cisco configs? (or temporarily aggregate the two router's inside interfaces on a switch and packet sniff the chatter between them?)

Yeah, it's a bit of a strange setup, but what you're saying certainly sounds feasible.

The reason we have it that way is because if WAN1 goes down, we need the DrayTek to detect the failure and do some split routing of traffic through WAN2 and WAN3. (WAN2 has limited bandwidth and is reserved for VoIP during a failover event).

The ISP previously said that all the HSRP stuff was being done on the internet-facing side of of the Ciscos, so there shouldn't actually be any HSRP traffic going to the WAN interfaces of the DrayTek.

However, I have asked them to check the config for anything that would produce traffic in the 192.168.254.x range, so I'll report back when they respond.

Nomen Nescio wrote:
....
The ISP previously said that all the HSRP stuff was being done on the internet-facing side of of the Ciscos,
...

That can't be, as the two routers need to compare notes about who is alive and has connectivity...(The winner gets to serve the Virtual IP address). A bit difficult on the WAN side as either link going down would break that communication. Who goes live then?