Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


HETZNER Server Locking for using Disallowed MAC Addresses
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

HETZNER Server Locking for using Disallowed MAC Addresses

wa44io4wa44io4 Member
edited January 2020 in Help

Hey Everyone,

I've recently started facing this MAC Address usage issue with HETZNER.

We have noticed that you have been using other MAC addresses in addition to 
the allowed at your Robot account.

They're locking my server telling me that I'm using multiple different MAC addresses along with the allowed one. They also suspected that this is happening because I'm hosting VMs on the servers.

However, I'm not hosting VMs on the server and tried to explain to them multiples times by now. I'm using the server with plain CentOS 7 x64 (KERNEL-ML) for hosting websites. I've also got the allowed MAC address added in the network configuration, still they keep locking my servers again and again.

Any of you here faced such issue? Can you suggest any permanent solution to this?

Some Info from the server -

Comments

  • ClouviderClouvider Member, Patron Provider
  • @Clouvider said:

    already in touch with them over tickets anyway ... I just wanted to see if anyone has experienced this before and found a solution.

    Thanked by 1Hetzner_OL
  • How come they would disallow hosting VM(s)?
    Is it disallowed with dedicated?

  • ManishPantManishPant Member, Host Rep

    @greattomeetyou said:
    How come they would disallow hosting VM(s)?
    Is it disallowed with dedicated?

    No , you are allowed to host VM , its MAC address issue

    Thanked by 1wa44io4
  • FalzoFalzo Member
    edited January 2020

    @greattomeetyou this has nothing to do with allowing or disallowing VMs. that's a network related and more likely a routing issue. additional IPs have to use either the MAC that's given by the hardware (your network card) or a virtual mac that you have set via the control panel. this is to prevent IP spoofing and control access on the router/gateway.

    for OPs problem I assume he either uses the wrong gateway or uses the MAC for the addon IP as main MAC address which leads to problems with the main IP.

    @wa44io4 if you don't use the addon IP for virtualization/VMs simply don't use a virtual mac! unless you use bridging everything that goes out on your main network interface will and should have the HW-MAC of it and not some virtual.
    you are most likely creating a mismatch for either the main IP sending with the vmac of the addon IP while the hw-mac is expected or the addon IP sending with the hw-mac while the vmac is expected.

    possible solution: delete the virtual mac in the control panel and remove it from your network config.

  • @Falzo said:

    Did you tried reading the full post in first place? I've clarified I'm not hosting any VM.

    There's no additional IP Addresses but only the default / main IP.

    Also, as you can see on the screenshot there's no virtual network adapter present either.

  • @wa44io4 said:

    @Falzo said:

    Did you tried reading the full post in first place? I've clarified I'm not hosting any VM.

    There's no additional IP Addresses but only the default / main IP.

    Also, as you can see on the screenshot there's no virtual network adapter present either.

    I understood that you don't use virtualization nor bridging. that's exactly why I pointed out that a mismatch with a (possible) virtual MAC address could lead to that issue.

    what I obivously misunderstood is that you are not even having any addon IP... this is because you mentioned an 'allowed MAC' - which I misinterpreted as 'additional/virtual mac' - my apologies.

    however.
    where did you get that 'allowed MAC' from?
    is that the hardware-mac of your network card?
    do you use the correct gateway?

  • @Falzo said:

    I've installed OS using the installimage tool and was using the default network configuration offered by this tool.

    Later on when they locked my server showing the allowed MAC address, I modified the network configuration file adding the MAC= field. Except this there's no network configuration done by me. Explaining the whole situation like I'm doing here didn't help.

    Everytime they lock servers I send unblock request and they unblock it saying now they don't see any other MAC addresses but only allowed one. But after 2/3 days they lock the server again for the exact same reason.

    I'm very frustrated with this already and they're not helping in any way instead stopped replying to my last unblock request.

    I did requested them to check if there's any issue on their end. I believe network switches or, the monitoring tool they're using can be wrong too.

  • okay. then probably something on your server is trying to send out packets with a spoofed mac/ip-address? some kind of malware or whatever?

    I never ran into such issue with Hetzner, only had a comparable situation with OVH once and that was me mismatching MACs and gateways, hence my poking on that topic.
    that said, I strongly doubt that their monitoring is at fault here tbh. otherwise you would see a lot of people jumping in and complaining about the very same thing.

    that their support is not hand-holding is a known fact and easy to understand. they only see packet with a wrong MAC-address trying to pass their network. they don't know what software you are running (intentionally or not) ... maybe even you don't know, because it's something malicious you haven't noticed yet.

    TL;DR; if the blocking reoccurs most likely there is something wrong on your server and because it's unmanaged you are the one who's expected to solve it, not their support ;-)

    Thanked by 1Hetzner_OL
  • Falzo said: okay. then probably something on your server is trying to send out packets with a spoofed mac/ip-address? some kind of malware or whatever?

    I have double checked ... there's nothing running on the server except NGINX, PHP 7 and NIXSTATS AGENT ... I got more than 20 servers with HETZNER with exact setup and only 3 of them has this weird issue.

    Falzo said: TL;DR; if the blocking reoccurs most likely there is something wrong on your server and because it's unmanaged you are the one who's expected to solve it, not their support ;-)

    Nah, I'm not asking for any technical support here ... I'm trying to prove that I'm not using those disallowed MACs with proper information. If the information provided by me is not enough for them, shouldn't they at-least ask for further (specific) information which will help them to identify the real issue or, prove me wrong.

    I'm a HETZNER customer since 2016 and I have deployed huge amount of servers with them over these years. I think this makes me one of their valuable customer and I definitely deserve some extra effort from their network department on this weird / confusing / complicated issue. @Hetzner_OL

  • @wa44io4 said: I have double checked ... there's nothing running on the server except NGINX, PHP 7 and NIXSTATS AGENT ... I got more than 20 servers with HETZNER with exact setup and only 3 of them has this weird issue.

    I would say that 3/20 is pretty significant in this context

  • pikepike Veteran
    edited January 2020

    @wa44io4 even if you werent a customer with them for years, I'm certain the Hetzner support will handle you in the most professional way, as they do with all customers.

    Thanked by 1wa44io4
  • @angstrom said:
    I would say that 3/20 is pretty significant in this context

    so?

  • @pike said:
    @wa44io4 even if you werent a customer with them for years, I'm certain the Hetzner support will handle you in the most professional way, as they do with all customers.

    Can't agree more with you and expect any less from them. I love HETZNER as much as y'all do.

    I'm not one of the LET drama creator ... I use LET for sharing and gathering different experiences.

  • @wa44io4 said:

    @angstrom said:
    I would say that 3/20 is pretty significant in this context

    so?

    You wrote "and only 3 of them has this weird issue", which suggests that 3/20 isn't so significant in this context. But perhaps you didn't intend to imply this.

  • @angstrom said:

    @wa44io4 said:

    @angstrom said:
    I would say that 3/20 is pretty significant in this context

    so?

    You wrote "and only 3 of them has this weird issue", which suggests that 3/20 isn't so significant in this context. But perhaps you didn't intend to imply this.

    I agree and would consider 15% significant ;-)

    the good thing with multiple affected boxes is, that you could look for a pattern... like are they all in the same DC, rack, same subnet (more or less) or are they all the same type of hardware, network card etc.

  • Since you're saying this is happening in a relative short interval like over 3 days, why don't you leave a tcpdump and capture say arp traffic (and/or periodically) dump the arp table from your machine to keep tabs and see what gives? At least it'll give you some clue on the goings on?

    Thanked by 2uptime Janevski
  • MikePTMikePT Moderator, Patron Provider, Veteran

    Provide them your login credentials, they can check this for you.

  • @nullnothere said:
    Since you're saying this is happening in a relative short interval like over 3 days, why don't you leave a tcpdump and capture say arp traffic (and/or periodically) dump the arp table from your machine to keep tabs and see what gives? At least it'll give you some clue on the goings on?

    I was going to suggest this. If you know the MAC they claim is coming from you, you can filter on that to a file and check it next time. Just make sure to record when you started the capture so you can correlate the traffic to actual time to better understand when it's happening.

  • jarjar Patron Provider, Top Host, Veteran

    wa44io4 said: I got more than 20 servers with HETZNER with exact setup and only 3 of them has this weird issue.

    Definitely an interesting variable as I've never seen or heard of this issue before, so you seeing it 3 times seems relevant and specific to you. Let us know what you find out so the rest of us can avoid it.

    Thanked by 2Janevski wa44io4
  • Hetzner_OLHetzner_OL Member, Top Host

    I checked with our networking team, and they agree with @nullnothere and @TimboJones. Or you can write a support request and ask our networking team to create a dump for you. (Respond to the last ticket you had about this issue.) --Katie

    Thanked by 2nullnothere wa44io4
  • Hi guys,
    I have faced the same issue. It looks the same as @wa44io4 's issue but my network config is a bit different:

    ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 41:8a:5a:2c:23:7a brd ff:ff:ff:ff:ff:ff
        inet 36.11.203.89/32 scope global enp2s0
           valid_lft forever preferred_lft forever
        inet 36.11.199.230/32 scope global enp2s0
           valid_lft forever preferred_lft forever
        inet6 2a11:3f8:a0:6001::2/64 scope global 
           valid_lft forever preferred_lft forever
        inet6 fe50::467a:5bff:fe1c:327f/64 scope link 
           valid_lft forever preferred_lft forever
    

    I use additional IP but without separate MAC address and attach it to the same NIC.

    Tech support team can't explain what is happening. They just claim that it is MAC spoofing comes from my servers. But I don't use any virtualization software and the software stack is pretty standard: nginx+php+bind9+squid. So I'm sure there is no any software that spoofs MAC

    I still can't solve the issue. tcpdump doesn't catch any frames with incorrect MACs, only with the allowed one, so I even can't detect it on my side.

    Any help is appreciated!

  • And from my experience Hetzner block servers only if network is highly loaded. Almost all of my 16 dedicated servers affected :(

  • @wa44io4 have you managed to solve the problem? What did Hetzner answer?

  • @fre6lime said:
    @wa44io4 have you managed to solve the problem? What did Hetzner answer?

    Hetzner provided no solution ... I used to specify MAC Address in the network configuration and that did solve my issue.

  • @wa44io4 said:

    @fre6lime said:
    @wa44io4 have you managed to solve the problem? What did Hetzner answer?

    Hetzner provided no solution ... I used to specify MAC Address in the network configuration and that did solve my issue.

    @wa44io4 I have tried to specify "macaddress" in the netplan config but unfortunately that didn't work :( How have you specified the MAC address? What operating system do you use? What file and how did you update? /etc/network/interfaces or /etc/netplan/01-netcfg.yaml? Thank you for the help!

  • coolicecoolice Member
    edited January 2021

    I do not have centos installed on server from some time but think even with single added IPs default setup is routed and according to virtualization docs (generally not related but can have something to the case)

    When using a routed setup, it is necessary to manually add the route to a virtual machine. Additionally, existing virtual MAC addresses should be removed from the respective IP addresses.

    So there should NOT be virtual mac set in Robot when IP are added to the server for hosting maybe

    @fre6lime do you have such set ?

    My Idea is Hetzner do not know if you use or do not use virtualization and if you use bridged or routed network setup , but when virtual mac is set for single IP in the Robot, Bridged setup and response with that virtual mac is expected... IF IP works on routed and do not pass that virtual mac (pass main server one) which leads to that email for spoofed mac ...

    If I'm correct possible solutions will be add virtual macs to network config of the IPs be send correctly which wa44io4 did or remove virtual macs from Robot

  • @coolice I don't have any virtual MAC assigned. Only one default hardware MAC. I use 2 IP addresses added to the same network interface

Sign In or Register to comment.