From owner-freebsd-net@freebsd.org  Thu Dec  3 14:28:30 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB94AA3FD4F
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu,  3 Dec 2015 14:28:30 +0000 (UTC)
 (envelope-from hoomanfazaeli@gmail.com)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com
 [IPv6:2a00:1450:400c:c09::233])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6AAB0108D
 for <freebsd-net@freebsd.org>; Thu,  3 Dec 2015 14:28:30 +0000 (UTC)
 (envelope-from hoomanfazaeli@gmail.com)
Received: by wmvv187 with SMTP id v187so29861454wmv.1
 for <freebsd-net@freebsd.org>; Thu, 03 Dec 2015 06:28:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=message-id:date:from:user-agent:mime-version:to:cc:subject
 :references:in-reply-to:content-type;
 bh=l+WXVSvm7zHeCvk0DFe1VAvChC+SyZf1qnAMYjzNXUQ=;
 b=bTYkKWdOc3cy3OZvWw0AkmDdxqdKJCfEMV9bEoOelBpSZHqJRfVyMQGgoX0jcoeGj0
 pbqsaI+0mB5R/pAEJ36pjcFmZmJz8HSAg8GsSdEM2uf9XtVHF+A2v37rWqOgYUUq1ThQ
 GwNod4P3v/dh2ggcz6a9MGglHusaHgdOMeBvzK4DOzF4fRi2rKawO3PksG94hUyJ91Nw
 qNl4jOGOHmMVA59pIWjVpK3uEYLo80shK4eA05zzbCt56l2WRWxvjdbnnuQ5tR9cnzFF
 pNNvmlBDolPn1r+evZRBJPdPzQOzlfdwH4NTakQ6ZUqG1zcj1DunR6Yx8Ent3BmL62BK
 y/Sg==
X-Received: by 10.28.32.65 with SMTP id g62mr49412417wmg.81.1449152908702;
 Thu, 03 Dec 2015 06:28:28 -0800 (PST)
Received: from [192.168.2.30] ([2.190.214.80])
 by smtp.googlemail.com with ESMTPSA id w6sm7821608wjy.31.2015.12.03.06.28.26
 (version=TLSv1/SSLv3 cipher=OTHER);
 Thu, 03 Dec 2015 06:28:28 -0800 (PST)
Message-ID: <56605186.6000003@gmail.com>
Date: Thu, 03 Dec 2015 17:58:22 +0330
From: Hooman Fazaeli <hoomanfazaeli@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: Jason Van Patten <jvp@lateapex.net>
CC: freebsd-net@freebsd.org
Subject: Re: Bridge Interfaces and ARPs
References: <56604982.9010003@lateapex.net>
In-Reply-To: <56604982.9010003@lateapex.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 14:28:31 -0000

On 12/3/2015 5:24 PM, Jason Van Patten wrote:
> Hey gang -
>
> I posted this to the FreeBSD user forums but figured I'd send a message off to the list to see if anyone has any input, guidance, or ideas. Emailing diagrams around isn't good form (IMHO) but having 
> a diagram handy will help with the discussion.  So please glance at:
>
> http://pics.lateapex.net/vz.png
>
> Background: I have a business class Verizon FIOS connection for Internet at home.  Along with that connection, I have 13 (not 14!) static IPs from VZ.  They almost fall within a proper CIDR block, 
> but not quite: 1.2.3.210 - 1.2.3.222.  I don't own .209, so I can't claim 1.2.3.208/28 as my IP block (dammit!)  The subnet for the static IPs is a /24, and the default route is *Verizon's* router: 
> 1.2.3.1.
>
> There are a number of different choices for this network layout: DMZ, bridging, or binat.  I chose bridging so that I don't have the complexity of binatting, and yet have some protection for the 
> servers via my router.  So, per the drawing, the FreeBSD router's em0 is connected to the Verizon equipment, while re0 and re1 are both connected to a managed Cisco switch, on different VLANs.
>
> VLAN 10 for re0: Public IPs (public services, etc)
> VLAN 20 for re1: Private IPs (NAS, wireless AP, etc)
>
> Via the router, VLAN 10 and Verizon's network are bridged together.  The bridge interface on the router has IP: 1.2.3.222/24 with a default route set to 1.2.3.1.  All servers on VLAN 10 have IPs 
> within the allocated range (.210 - .220) and the same default route.
>
> Now: the problem.  I used the LAGG'd server as an example in the diagram, but the same thing is happening with other servers: the router is learning ARP entries for the IPs I own *from* Verizon's 
> router.  As soon as the router caches that bad entry, it no longer routes traffic to those public IPs *from* VLAN 20 (private side). So, in other words, a laptop on the wireless network won't be 
> able to get to 1.2.3.215.
>
> My work-around for now has been a series of static ARP entries on the router for each of my public servers.  That seems to work fine, but I wonder if there's something I might be doing wrong?
>
> If I didn't include enough info, fire away.  Thanks!
>
Can you post the output of the following commands (on freebsd router):

# ifconfig
# ifconfig bridgeX addr
# arp -na
# netstat -nr -f inet
# sysctl net.inet.ip

-- 
Best regards
Hooman Fazaeli