Unexpected Results When Scanning the Blue Network from the Green Network

Networking
1

Hello everyone,

I’m experiencing a strange issue when scanning my blue network (192.168.142.x) from the green network (192.168.141.x) and I’m hoping someone on the forum can help me figure out what’s going on.

My Setup:

  • IPFire Version: 2.29 (x86_64) Core - Update 191
  • Green Interface (green0): 192.168.141.1/24
  • Blue Interface (blue0): 192.168.142.1/24
  • Red Interface (red0): 192.168.140.2/24 (static IP)
  • No VLANs configured.
  • No special routing or bridging configured (to my knowledge).
  • No user-defined firewall rules.
  • The firewall option “Discard all packets that are not directly addressed to the proxy” for the blue interface is OFF.
  • No IDS/IPS add-ons installed (see screenshot of services).
  • Web Proxy is enabled on Blue and Transparent on Blue.
    Important Note: A few weeks ago, the SSD in my IPFire failed. After reinstalling IPFire, I restored a backup I had made. This backup was created about three years ago, the last time I had made significant configuration changes.

The Problem:

I’m using Angry IP Scanner to scan my blue network and getting unexpected results:

  • ARP (LAN only): Shows 38 clients (which I believe is the correct number). However, no MAC addresses are displayed.
  • UDP Scan: Shows 46 clients.
  • TCP Scan: Shows a very high and obviously incorrect number of live clients (similar to the initial test with 254).

To verify this, I also used nmap from my machine on the green network:

  • nmap -sn 192.168.142.0/24: Reports all 256 IP addresses in the blue network as “up”.
  • nmap -sT -p- 192.168.142.1: Shows the following open ports on the blue IP address of the IPFire system: 22, 53, 80, 81, 444, 800, 1013, 3128.

My Questions:

  1. Why does the ARP scan in Angry IP Scanner seem to work for the blue network from the green network, even though it’s usually limited to the local network segment? It even reports the correct number of clients (albeit without MAC addresses).
  2. Why does nmap -sn report all IP addresses in the blue network as being up? This strongly suggests that something (likely IPFire) is responding on behalf of all these addresses.
  3. Could the fact that I restored a three-year-old backup be related to this issue? Is it possible that some old configuration is causing this behavior in the current IPFire version?
  4. Are there any known IPFire configurations or default behaviors that could explain this? I haven’t found any explicit Proxy ARP settings.

I have already checked the firewall options for the blue interface, and the option mentioned above is disabled. There are also no user-defined firewall rules.

Any help or suggestions would be greatly appreciated!

Thank you in advance!
Michael

2

It has to do with the older version of iptables + old Kernel. Which both of them were fixed.

So its not a user setting in ipfire.
But an arp scan of blue network from green will always return all the ip addresses on blue, not seeing the mac address was a bug in iptables that was fixed almost two years ago and IPFire would have patched the fix when it was included in their Linux Main Stable branch they update from.