Need help getting vlans scanned

[aries223]

Need some help getting NetAlertX (NAX) to arp-scan my vlans. NAX is works correctly on the LAN, no issues there. It either doesn't scan the vlans, cant reach them or is getting no responses from the devices.

The container is able to ping the vlans, so I assume the arp-scan is reaching the vlans:

netalertx:/# ping 192.168.20.5
PING 192.168.20.5 (192.168.20.5): 56 data bytes
64 bytes from 192.168.20.5: seq=0 ttl=99 time=2.385 ms
64 bytes from 192.168.20.5: seq=1 ttl=99 time=2.671 ms
64 bytes from 192.168.20.5: seq=2 ttl=99 time=2.324 ms
^C
--- 192.168.20.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.324/2.460/2.671 ms

I am able to arp-scan the LAN from the container. It works with and without the vlan tag:

netalertx:/# sudo arp-scan 192.168.1.0/24 --interface=eth0 -vlan=01
Interface: eth0, type: EN10MB, MAC: <redacted>, IPv4: 192.168.1.175
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1     <redacted>       Qotom
192.168.1.2     <redacted>       Cisco Systems, Inc
192.168.1.3     <redacted>       Ubiquiti Networks Inc.
...

When I scan a vlan I get this:

netalertx:/# sudo arp-scan 192.168.20.0/24 --interface=eth0 -vlan=02
Interface: eth0, type: EN10MB, MAC: <redacted>, IPv4: 192.168.1.175
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)

1 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.931 seconds (132.57 hosts/sec). 0 responded

The ARP table on the firewall/router shows the vlans and the devices on those vlans, so they seem to be responding to the firewall. All the vlans on the firewall are delineated as 'vlan01', 'vlan02' etc.. but this doesn't seem to correspond with how the container arp scan sees them. On the firewall, 'vlan01' is an actual vlan named 'IOT'. When I run the arp scan from the container '-vlan=01' results in the LAN being scanned, and the devices on the lan appear in the results. But when I scan '-vlan02' I get no responses. Same result if I scan using the vlan tag for the same vlan '-vlan=20'.

Not sure what to do from here... Any help is appreciated..

[jokob-sk]

Thanks for creating a discussion!

As mentioned, I don't use vlans so I can't provide more specific examples, but I hope someone from the community might be able to help.

You probably read the whole page, but just to link for everyone else, there might be some exceptions as reported by the community previously: https://github.com/jokob-sk/NetAlertX/blob/main/docs/SUBNETS.md#support-for-vlans--exceptions

[fcschow]

Is the container running in host mode? See docker guide under the Basic Usage section.

Also, what is the vlan id for the subnet 192.168.20.0/24? Is it 20 or 02?

[aries223]

Hi, yes the container is in host mode:
(fyi This container is an LXC vm on Proxmox 8.1.10)

version: "3"
services:
  netalertx:
    container_name: netalertx
    # use the below line if you want to test the latest dev image
    # image: "jokobsk/netalertx-dev:latest" 
    image: "jokobsk/netalertx:latest"
    network_mode: "host"
    restart: unless-stopped
    volumes:
      - ./config:/app/config
      - ./db:/app/db
      # (optional) useful for debugging if you have issues setting up the container
      - ./logs:/app/front/log
    environment:
      - TZ=America/Los_Angeles
      - PORT=20211

Opnsense has it listed several ways:

Identifier: opt8
Device: vlan01
IP: 192.168.20.1
Tag: 20
Parent: igc1 [LAN]

[fcschow]

I don't use OPNsense. From your listing, Tag: 20, I would try the following

arp-scan 192.168.20.0/24 --interface=eth0 -vlan=20

[aries223]

Results:

netalertx:/# sudo arp-scan 192.168.20.0/24 --interface=eth0 -vlan=20
Interface: eth0, type: EN10MB, MAC: <redacted>, IPv4: 192.168.1.175
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)

19 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.929 seconds (132.71 hosts/sec). 0 responded

nmap scan gets results from that vlan:

netalertx:/# nmap -T4 -F 192.168.20.5
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-01 12:13 PDT
Nmap scan report for <redacted> (192.168.20.5)
Host is up (0.0020s latency).
Not shown: 99 filtered tcp ports (no-response)
PORT   STATE SERVICE
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds

Is it maybe that no device on that subnet is responding to the ARP scan? Or issue with the ARP scanner itself?
Also, the firewall ARP Table is showing all the devices on the vlan(s)..

[fcschow]

Any chance NetAlertX runs on the OPNsense host? I don't use OPNsense. From what I found, it seems to create an unique interface for each VLAN. If this is the case, maybe try the following.

arp-scan 192.168.20.0/24 --interface=opt8 -vlan=20

[aries223]

No its not running on the Opensense host. That scan errors out:

netalertx:/# arp-scan 192.168.20.0/24 --interface=opt8 -vlan=20
pcap_activate: opt8: No such device exists
(No such device exists)

[jokob-sk]

You could try the following:

- one NIC per VLAN in the LXC
- only the main NIC has an IP, the other VLANs have no IP address

In app.conf or via Settings specify:

SCAN_SUBNETS = ['--localnet --interface=eth0','10.0.10.0/24 --interface=eth0.10 --arpspa=10.0.10.253','10.0.20.0/24 --interface=eth0.20 --arpspa=10.0.20.253']

Alternativelly:

I've just had an issue that seems similar to what yours was. It was because the devices became undefined for the VLAN interfaces within the /etc/network/interfaces file.

Readding to that file and restartng the LXC got my arp scans working for the VLANs again.

auto eth5
iface eth5 inet manual
auto eth10
iface eth10 inet manual

From: leiweibau/Pi.Alert#271 (comment)

If someone in this thread solve it, it would be great to write up a quick guide and I'll include it in the docs.

[aries223]

Thanks for the help @jokob-sk , but none of that seemed to help

SCAN_SUBNETS = ['--localnet --interface=eth0','10.0.10.0/24 --interface=eth0.10 --arpspa=10.0.10.253','10.0.20.0/24 --interface=eth0.20 --arpspa=10.0.20.253']
(I changed the ips to my subnets)
This results in:

netalertx:/# sudo arp-scan 192.168.20.0/24 --interface=eth0.20 -vlan=20
pcap_activate: eth0.20: No such device exists
(No such device exists)

There is something definately going on with the arp-scanner. When I run an nmap scan:
nmap -T4 -F 192.168.20.0/24
it definitely finds the devices on that subnet..

[jokob-sk]

Hi @aries223,

the netalertx-dev container has now an NMAP scanner scan - you can give it a try. Please make sure to refresh your browser cache if settings don't appear.

[MimaHack]

hello again actually i'm facing the same issue is there any solution for that

[jokob-sk]

As mentioned, please open a separate issue.