From nobody Fri Dec 1 13:10:00 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with UTF8SMTP id 4ShYM23WVFz52bhK for ; Fri, 1 Dec 2023 13:10:06 +0000 (UTC) (envelope-from 3ad8e36b.AWgAADCWsR0AAAAAAAAAALuQ_aAAAAAA0PMAAAAAABYlygBladsq@a1451466.bnc3.mailjet.com) Received: from o14.p25.mailjet.com (o14.p25.mailjet.com [185.189.236.14]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with UTF8SMTPS id 4ShYM210s8z3CyG for ; Fri, 1 Dec 2023 13:10:05 +0000 (UTC) (envelope-from 3ad8e36b.AWgAADCWsR0AAAAAAAAAALuQ_aAAAAAA0PMAAAAAABYlygBladsq@a1451466.bnc3.mailjet.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt; d=jodocus.org; i=joost@jodocus.org; s=mailjet; x=1701443402; h=message-id:mime-version:from:from:to:to:subject:subject:date:date:list-unsubscribe-post:list-unsubscribe: cc:feedback-id:in-reply-to:references:x-csa-complaints:x-mj-mid:x-mj-smtpguid: x-report-abuse-to:x-sender:content-type:content-transfer-encoding; bh=9IbKngBhhqN3Nv7wveoAIazzLaHiKWBbX4ul7igpM8g=; b=j64uh1kSgmOTvrgawontFgpBhiD1r/vg1IQj12Ovgfkw84cGGQTb/ylKC BT966qVYK1stHS0nxjOUiFsLZtBZJGoxFPSVB8YlSE4komd+rfHlhmwrl4c4 Y41eAw25AhzZRYaAFbLRxrfNgmUNdc8USpa8dVy+v5wGYpFkPeZEXc= Message-Id: <3ad8e36b.AWgAADCWsR0AAAAAAAAAALuQ_aAAAAAA0PMAAAAAABYlygBladsq@mailjet.com> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 From: Joost Bekkers To: Olivier Subject: Re: tap interface forcing a permanent ARP association Date: Fri, 01 Dec 2023 14:10:00 +0100 List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: , Cc: Paul Procacci , questions@freebsd.org Feedback-Id: 42.1451466.1431476:MJ In-Reply-To: References: X-CSA-Complaints: csa-complaints@eco.de X-MJ-Mid: AWgAADCWsR0AAAAAAAAAALuQ_aAAAAAA0PMAAAAAABYlygBladsqwCieZciCTAmgdNNN1_EJMQAV17Q X-MJ-SMTPGUID: 01d79710-f375-4a32-826e-f877bec1b269 X-REPORT-ABUSE-TO: Message sent by Mailjet please report to abuse@mailjet.com with a copy of the message X-Sender: joost@jodocus.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:200069, ipnet:185.189.236.0/22, country:FR] X-Rspamd-Queue-Id: 4ShYM210s8z3CyG On 2023-12-01 05:20, Olivier wrote: > The plot thickens... > > Paul Procacci writes: > >> [1:text/plain Show] >> >> >> [2:text/html Hide Save:noname (7kB)] >> >> On Wed, Nov 29, 2023 at 10:35 PM Olivier >> wrote: >> >> Hi, >> >> I have an OpenVPN server running on FreeBSD (13.2-p5). I have >> included >> the following in /etc/rc.conf: >> >> cloned_interfaces="tap0 bridge0" >> ifconfig_bridge0="addm vmx0 addm tap0" >> ifconfig_tap0="UP" >> openvpn_enable="YES" >> >> And it works fine, except that ip maps the MAC address of tap0 to the >> IP >> of my web server (on another machine), and the mapping is >> "permament": >> >> www.cs.ait.ac.th (10.41.170.42) at aa:bb:cc:dd:ee:ff on tap0 >> permanent >> [ethernet] >> >> That has two adverse effects: >> - any VPN client cannot access my web server as they would get a >> wrong >> MAC address; >> - the VPN server will sometime reply to an ARP request on my LAN, >> providing an obviously wrong answer. >> >> Poking around, I found out that it was due to the "ifconfig_tap0=UP" >> line. Further more, that line is not needed for OpenVPN to start >> properly; so I have disabled it. >> >> But I would like to understand why turning up the tap interface >> causes >> it to update the ARP table. >> >> Best regards, >> >> Olivier >> >> -- >> >> If I'm being honest, what you're saying sounds really strange. >> NIC vendors have prefixes assigned to them for their MAC usage and the >> chances of collision between two machines especially since the local >> nic in >> question is a tap is an absolute fat 0 chance. >> -- That is, unless somewhere someone is doing something they >> shouldn't, or >> perhaps the entire picture wasn't provided and information is missing. > > I have checked that the hostuuid are different and that the MAC > addresses on both machines are different. > > I have conducted some more tests on a machine that has been created > from scratch, still FreeBSD RELEASE-13.2-p5 > > $ ifconfig tap0 create > $ ifconfig tap0 UP > ifconfig: WARNING: setting interface address without mask is > deprecated, > default mask may not be correct. > $ ifconfig tap0 > tap0: flags=8843 metric 0 mtu > 1500 > options=80000 > ether 58:9c:fc:10:a4:65 > inet 192.41.170.42 netmask 0xffffff00 broadcast 192.41.170.255 > groups: tap > media: Ethernet autoselect > status: no carrier > nd6 options=29 > > Does mofidy the ARP table and associates the IP of my web server to the > MAC of the interface tap0: > > $ arp -a | grep 192.41.170.42 > www.cs.ait.ac.th (192.41.170.42) at 58:9c:fc:10:a4:65 on tap0 permanent > [ethernet] > > While: > > $ ifconfig tap0 create > $ ifconfig tap0 up > $ ifconfig tap0 > tap0: flags=8803 metric 0 mtu 1500 > options=80000 > ether 58:9c:fc:10:a4:65 > groups: tap > media: Ethernet autoselect > status: no carrier > nd6 options=29 > > Doesn't: > > $ arp -a | grep 192.41.170.42 > $ > > Any idea is welcome. > > Best regards, > > Olivier Can you try and use the lowercase version of "UP"? What I think is going on: "ifconfig UP" sets the ip address to whatever the hostname 'UP' resolves to, hence the warning about not using a netmask. The command to enable an interface is "ifconfig up" (lowercase) Joost Bekkers