IP Spoof on VLAN, how to solve it?

MartinMP

I have a network consisting of a TZ 370 firewall, combined with a netgear XS708T switch where two Access Point are connected to.

IoT-Zone has both some Wiz Wifi bulbs, and Google devices like Chromecast etc.

LAN setup is a follow

X0 - LAN 192.168.2.1

X0:V20 Guest WiFi 10.45.10.1

X0:V30 IoT-Zone 10.46.10.1

MultiCast is enabled on X0 and X0:V30 as descriped on this link

https://www.sonicwall.com/support/knowledge-base/how-to-allow-chromecast-to-work-through-sonicwall-when-device-and-chromecast-are-on-separate-zone/171013122730669/

IP Helper is also enabled for mDNS and SSDP

Overview of network

Main goal is to be able to control the Wiz WiFi bulbs, from X0 LAN.

For testing purpose only there is an allow any/any to and from LAN/IoT-Zone access rule.

The smart bulbs are located on the IoT-Zone -> X0:V30 

Wiz Wifi bulbs communicates on 38899 and 38900 for UDP on local network.

I need some help to figure out, why I get the IP Spoof alert from the firewall as below?

If more information is need, then please let me know.

MustafaA

Hello @MartinMP

Looking at the packet capture, your source of traffic is 10.46.10.117 which is coming through the X0 interface instead of the X0:V30, which indicates that the frames are not tagged with VLAN ID 30. Make sure your switch is configured correctly so that it tags the traffic properly.

Firewall will consider this as IP spoof since it does not belong to the X0 subnet.

MartinMP

https://community.sonicwall.com/technology-and-support/discussion/comment/20335#Comment_20335

Hi @MustafaA

I did took a look on the packet capture, and did a control of the setup for the switch. All settings seems to fine for tagging VLAN, but ingress filtering was set to disabled (default setting for the switch) I have enabled ingress filtering and have not for the last hours had a IP Spoof alert.