You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I installed phantapv2 on a Nanopi R1, but it seems that the bridge is leaking its MAC address in network packets. This is a problem because the device is no longer stealth on the network, in addition this can cause lockdown of the switch port if there is NAC in place. There is no such issue in the original Phantap package on Openwrt.
In spite of this the bridge still appears to work as intended.
Installation of phantapv2 on the Nanopi R1
Steps performed:
download FriendlyCore, a Debian-like image from Friendlyelec: h3-sd-debian-bookworm-core-4.14-armhf-20231213.img (source)
write image to SD card
boot Nanopi R1 on the SD card
wait for the Nanopi to pick up an address on the local network
log in over SSH
run apt-update
disable NetworkManager.service
install phantapv2 (git clone)
edit file /etc/network/interfaces.d/br-phantap.cfgbecause the interfaces are named differently. Change this line: bridge_ports enp2s0 enp3s0 and use the correct interface names (in my case: eth0 and eth1)
optional: enable serial console to connect to the Nanopi without SSH
reboot
test that phantapv2 is working normally
watch traffic in Wireshark
Diagnosis
I have verified this behavior by monitoring traffic as follows:
On a Cisco switch I have enabled SPAN (port mirroring) to copy all traffic from interface Ge7 to Ge8. Ge8 is connected to a dedicated network card on my PC, with Wireshark sniffing traffic on it.
I connected one end of the Nanopi to the switch on port Ge7. Thus I can see all the traffic that being forwarded by phantapv2.
I took note of the MAC addresses on my Nanopi R1, they are:
02:81:3f:b5:8e:1f
be:13:69:e1:57:6b
plus 7a:fe:22:54:58:b7 for the bridge br-phantap
Output of ip link:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-phantap state UP mode DEFAULT group default qlen 1000
link/ether 02:81:3f:b5:8e:1f brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-phantap state UP mode DEFAULT group default qlen 1000
link/ether be:13:69:e1:57:6b brd ff:ff:ff:ff:ff:ff
4: br-phantap: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 7a:fe:22:54:58:b7 brd ff:ff:ff:ff:ff:ff
In Wireshark I see the MAC address 02:81:3f:b5:8e:1f leaking. See screenshots below:
Notes:
this seems to be IPv6 traffic mostly
is it normal that br-phantap has the BROADCAST flag set?
But I found something potentially useful in the log file (/var/log/phantap.log):
conf_net: P_VICTIM_MAC=xx:xx:xx:xx:xx:xx P_VICTIM_IP=192.168.0.50 P_GATEWAY_MAC=xx:xx:xx:xx:xx:xx P_GATEWAY_IP=0.0.0.0 P_DNS=0.0.0.0
netlink: Error: cache initialization failed: Invalid argument
PhanTap firewall rules applied, you now have internet
grep: ./files/etc/phantap.conf: No such file or directory
conf_net: P_VICTIM_MAC=xx:xx:xx:xx:xx:xx P_VICTIM_IP=192.168.0.50 P_GATEWAY_MAC=xx:xx:xx:xx:xx:xx P_GATEWAY_IP=192.168.0.1 P_DNS=0.0.0.0
netlink: Error: cache initialization failed: Invalid argument
PhanTap firewall rules applied, you now have internet
grep: ./files/etc/phantap.conf: No such file or directory
(MAC addresses cleared for privacy)
The issue seems to lie in script /etc/init.d/phantap. Evidently, file ./files/etc/phantap.conf is not there.
But this could be another unrelated issue.
Remarks
This could be a system-specific issue but I strongly recommend to check on the development platform that the MAC address leak does not occur.
It is also important to make sure that file /etc/network/interfaces.d/br-phantap.cfg reflects the network interface names present on the device.
The text was updated successfully, but these errors were encountered:
Hello,
This is a follow-up of the discussion on the original Phantap repo
TL;DR
I installed phantapv2 on a Nanopi R1, but it seems that the bridge is leaking its MAC address in network packets. This is a problem because the device is no longer stealth on the network, in addition this can cause lockdown of the switch port if there is NAC in place. There is no such issue in the original Phantap package on Openwrt.
In spite of this the bridge still appears to work as intended.
Installation of phantapv2 on the Nanopi R1
Steps performed:
/etc/network/interfaces.d/br-phantap.cfgbecause the interfaces are named differently. Change this line:bridge_ports enp2s0 enp3s0and use the correct interface names (in my case: eth0 and eth1)Diagnosis
I have verified this behavior by monitoring traffic as follows:
Output of
ip link:In Wireshark I see the MAC address 02:81:3f:b5:8e:1f leaking. See screenshots below:
Notes:
But I found something potentially useful in the log file (
/var/log/phantap.log):(MAC addresses cleared for privacy)
The issue seems to lie in script
/etc/init.d/phantap. Evidently, file./files/etc/phantap.confis not there.But this could be another unrelated issue.
Remarks
/etc/network/interfaces.d/br-phantap.cfgreflects the network interface names present on the device.The text was updated successfully, but these errors were encountered: