Date: Thu, 03 Dec 2015 17:58:22 +0330 From: Hooman Fazaeli <hoomanfazaeli@gmail.com> To: Jason Van Patten <jvp@lateapex.net> Cc: freebsd-net@freebsd.org Subject: Re: Bridge Interfaces and ARPs Message-ID: <56605186.6000003@gmail.com> In-Reply-To: <56604982.9010003@lateapex.net> References: <56604982.9010003@lateapex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/3/2015 5:24 PM, Jason Van Patten wrote: > Hey gang - > > I posted this to the FreeBSD user forums but figured I'd send a message off to the list to see if anyone has any input, guidance, or ideas. Emailing diagrams around isn't good form (IMHO) but having > a diagram handy will help with the discussion. So please glance at: > > http://pics.lateapex.net/vz.png > > Background: I have a business class Verizon FIOS connection for Internet at home. Along with that connection, I have 13 (not 14!) static IPs from VZ. They almost fall within a proper CIDR block, > but not quite: 1.2.3.210 - 1.2.3.222. I don't own .209, so I can't claim 1.2.3.208/28 as my IP block (dammit!) The subnet for the static IPs is a /24, and the default route is *Verizon's* router: > 1.2.3.1. > > There are a number of different choices for this network layout: DMZ, bridging, or binat. I chose bridging so that I don't have the complexity of binatting, and yet have some protection for the > servers via my router. So, per the drawing, the FreeBSD router's em0 is connected to the Verizon equipment, while re0 and re1 are both connected to a managed Cisco switch, on different VLANs. > > VLAN 10 for re0: Public IPs (public services, etc) > VLAN 20 for re1: Private IPs (NAS, wireless AP, etc) > > Via the router, VLAN 10 and Verizon's network are bridged together. The bridge interface on the router has IP: 1.2.3.222/24 with a default route set to 1.2.3.1. All servers on VLAN 10 have IPs > within the allocated range (.210 - .220) and the same default route. > > Now: the problem. I used the LAGG'd server as an example in the diagram, but the same thing is happening with other servers: the router is learning ARP entries for the IPs I own *from* Verizon's > router. As soon as the router caches that bad entry, it no longer routes traffic to those public IPs *from* VLAN 20 (private side). So, in other words, a laptop on the wireless network won't be > able to get to 1.2.3.215. > > My work-around for now has been a series of static ARP entries on the router for each of my public servers. That seems to work fine, but I wonder if there's something I might be doing wrong? > > If I didn't include enough info, fire away. Thanks! > Can you post the output of the following commands (on freebsd router): # ifconfig # ifconfig bridgeX addr # arp -na # netstat -nr -f inet # sysctl net.inet.ip -- Best regards Hooman Fazaeli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56605186.6000003>