Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 8227 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNMP Traffic blocked between host and printer in same subnet

Jas Man

Hi folks,

I've a Samsung printer (192.168.10.9) which is connected via wifi. My PC (192.168.10.10) has installed the printer drivers and some management software for this printer. When the printer is offline, the UTM blocks a lot of SNMP packets from my PC to the printer.As soon as the printer is online, SNMP isn't dropped anymore. Network settings on both devices are OK. So I don't understand why the firewall drops packets within the same subnet.

 

2017:03:12-00:26:26 jasnet ulogd[4467]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1.10" outitf="eth1.10" srcmac="54:a0:50:7f:fa:60" dstmac="fc:aa:14:e2:bf:f1" srcip="192.168.10.10" dstip="192.168.10.9" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="62860" dstport="161" 

2017:03:12-00:26:37 jasnet ulogd[4467]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1.10" outitf="eth1.10" srcmac="54:a0:50:7f:fa:60" dstmac="fc:aa:14:e2:bf:f1" srcip="192.168.10.10" dstip="192.168.10.9" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="62860" dstport="161"

Any idea?

Thank you

Jas Man



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jas,

    Show us how does the Interfaces & Routing | Interface, page looks in your UTM. Also, show us the FW-rule configured to allow this traffic to/fro.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    : Yup, I aggree that the packets will pass when I create a rule that allows them. But more important for me is, why UTM is blocking the packets.

     

    : Here is a screenshot of my Interface page

    ProxyARP is disabled for all IFs. And just for your information: the destination MAC address from the firewall log above is the MAC address of eth1.

  • 0 in reply to Jas Man

    "...why UTM is blocking the packets"

    The UTM is blocking the packets because there are no rule allow this traffic passing the UTM.

    The question should be: why reach the traffic the UTM or why the destination mac is the UTM mac?

    You should use Wireshark at the PC to capture packets directed to 192.168.10.9.

    also you can post output from "arp -a" and "route print" from PC.

    Another option ... the Management-Software try to send the packets to def-gw mac address if device is not reachable.

    Try to disable/uninstall management software. Sometimes the ways of the programmer are inscrutable.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    dirkkotte said:

    ...

    The UTM is blocking the packets because there are no rule allow this traffic passing the UTM.

    The question should be: why reach the traffic the UTM or why the destination mac is the UTM mac?

    ....

    Yep, I mean the same but asked the wrong question.

     

    dirkkotte said:

    ...

    You should use Wireshark at the PC to capture packets directed to 192.168.10.9.

    ...

    Yep, already done. Packets are send through the IP of the printer (192.168.10.9), but to the mac address of the gateway.

     

    dirkkotte said:

    ...

    also you can post output from "arp -a" and "route print" from PC.

    Yep, also already done. No entry for the printer. Only the gateway and some other devices in my network are shown.

  • 0 in reply to Jas Man

    It seems to be normal that traffic for an offline host, which is not listed in the ARP list of the source host or gateway, is send to the mac address of the gateway. I've pinged an offline host in my network and captured the traffic:

    1. The client sends out several ARP requests for the destination IP
    2. Also the gateway (UTM) sends out an ARP request for the destination IP
    3. No answer to the ARP requests
    4. Ping request goes to the destination IP, but to the mac address of the gateway
    5. Gateway response with ICMP type 3, Destination unreachable

    If the host is online

     

    1. The client sends out an ARP request for the destination IP
    2. Host sends ARP response with his mac address
    3. Ping request goes to the destination IP and mac address
    4. Host answeres to ping - everybody happy.

    I'm just wondering why I've never seen this before in the firewall, e.g. when I try to access an SMB share of my HTPC which is offline. This traffic should be also dropped by the firewall of the UTM, or should'nt it? Is there a difference behaviour between UDP and TCP packets?

    EDIT: Forgot to tell you, that the SNMP request come from the Windows print spooler. For the IP connection SNMP is activated for management purposes.

Reply
  • 0 in reply to Jas Man

    It seems to be normal that traffic for an offline host, which is not listed in the ARP list of the source host or gateway, is send to the mac address of the gateway. I've pinged an offline host in my network and captured the traffic:

    1. The client sends out several ARP requests for the destination IP
    2. Also the gateway (UTM) sends out an ARP request for the destination IP
    3. No answer to the ARP requests
    4. Ping request goes to the destination IP, but to the mac address of the gateway
    5. Gateway response with ICMP type 3, Destination unreachable

    If the host is online

     

    1. The client sends out an ARP request for the destination IP
    2. Host sends ARP response with his mac address
    3. Ping request goes to the destination IP and mac address
    4. Host answeres to ping - everybody happy.

    I'm just wondering why I've never seen this before in the firewall, e.g. when I try to access an SMB share of my HTPC which is offline. This traffic should be also dropped by the firewall of the UTM, or should'nt it? Is there a difference behaviour between UDP and TCP packets?

    EDIT: Forgot to tell you, that the SNMP request come from the Windows print spooler. For the IP connection SNMP is activated for management purposes.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML