From owner-freebsd-ipfw@FreeBSD.ORG Mon May 19 09:12:07 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE8F137B401 for ; Mon, 19 May 2003 09:12:07 -0700 (PDT) Received: from srv00.el.com.br (srv00.el.com.br [200.179.165.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D02543FB1 for ; Mon, 19 May 2003 09:12:01 -0700 (PDT) (envelope-from g-paiva@el.com.br) Received: from intranet.el.com.br (srv00.el.com.br [200.179.165.123]) by srv00.el.com.br (elsmtp) with SMTP id B451D71039 for ; Mon, 19 May 2003 13:11:51 -0300 (BRT) Received: from 192.168.1.194 (SquirrelMail authenticated user g-paiva) by intranet.el.com.br with HTTP; Mon, 19 May 2003 13:11:51 -0300 (BRT) Message-ID: <1159.192.168.1.194.1053360711.squirrel@intranet.el.com.br> Date: Mon, 19 May 2003 13:11:51 -0300 (BRT) From: "Paiva, Gilson de" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.0 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 Importance: Normal Subject: Annoying arp messages won't go away!! ( from freebsd-net@freebsd.org ) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2003 16:12:08 -0000 Hi everybody, Sorry to cross-post from freebsd-net... I was running a freebsd machine bridging packets on 2 interfaces and acting as my internet router without any problem. Last week I had to change my IP allocation and, due ipfw2 improvements on layer2, I decided not to route packets through this machine anymore, but have a 3 nics bridge, then the annoying "/kernel: -- loop (x) xxarpxx to nicx from nicy (active)" is here :) . The moving arps are from the internet router - attached directly to ep0 - and a ras attached to xl0 . Freebsd keeps telling me the message with this 2 arps moving between its 3 nics. I understanding the arp and bridge basics very well and I think this problem has something to do with this 2 equipaments "scanning" my network with "arp who-has" ( detected with tcpdump ). I even "locked" all my 128 ips arps with arp -s and arp -s pub options but nothing changed. I tryied even to stop messages with net.link.ether.inet.log_arp_wrong_iface=0 , again no success. No google, no man pages, nothing I could do... Running 4.8-stable cvsuped and made world kernel at 15 this month, ipfw2, 3 nics with bridge on them. Did anyone have anything like this or do know any tip? I tried to make it simple, but I understand it's not that easy to mentally draw it. internet_router | | ep0 freebsd rl0 -- wireless network xl0 | | clients, servers and ras before: bridge with xl0 and rl0. This box had an ip used as gateway for internal clients. now: bridge on all nics. Servers and clients have their ip gateway pointed to internet_router. IP network is fine. This box has an ip so I can administer it. ifconfig -a Where's status: active from xl0 and ep0 ? Both are up and running fine... ( thanks rmkml@wanadoo.fr ) xl0: flags=8943 mtu 1500 inet 200.179.xxx.xxx netmask 0xffffff80 broadcast 200.179.xxx.xxx ether 00:60:97:70:12:ec media: Ethernet 10baseT/UTP (10baseT/UTP ) rl0: flags=8943 mtu 1500 ether 00:40:c7:78:06:45 media: Ethernet autoselect (100baseTX ) status: active ep0: flags=8943 mtu 1500 ether 00:60:08:2b:bc:29 media: Ethernet 10baseT/UTP I flushed all ipfw rules and loaded no custom sysctl value, problem remains the same.A piece of my sysctl.conf, network entries: net.inet.icmp.log_redirect=0 net.inet.ip.fastforwarding=1 net.inet.ip.forwarding=1 net.inet.ip.fw.enable=1 net.inet.ip.fw.one_pass=0 net.inet.ip.stealth=1 net.inet.tcp.blackhole=2 net.inet.tcp.keepidle=9000 net.inet.tcp.recvspace=65536 net.inet.tcp.sendspace=65536 net.inet.udp.blackhole=1 net.link.ether.bridge=1 net.link.ether.bridge_cfg=xl0,rl0,ep0 net.link.ether.bridge_ipfw=1 net.link.ether.inet.log_arp_wrong_iface=0 net.link.ether.ipfw=1 kernel conf ? options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP options IPFW2 options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPDIVERT #divert sockets options IPSTEALTH #support for stealth forwarding options MROUTING #Multicast routing options DUMMYNET options HZ=1000 # strongly recommended options RANDOM_IP_ID options BRIDGE options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security options ICMP_BANDLIM #Rate limit bad replies -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Paiva, Gilson de Domingos Martins mailto:npd@el.com.br Brazil http://www.el.com.br/ E&L Producoes de Software http://www.FreeBSD.org/ FreeBSD: The Power to Serve =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------------------------------------------------------ Aviso Legal: Esta mensagem pode nao expressar oficialmente as ideias ou vontades da empresa E&L Producoes de Software, sendo responsavel por esta exclusivamente seu autor.