From owner-freebsd-net@freebsd.org Fri Dec 4 08:09:22 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6CF7AA404A1 for ; Fri, 4 Dec 2015 08:09:22 +0000 (UTC) (envelope-from "."@babolo.ru) Received: from smtp1.babolo.ru (smtp1.babolo.ru [194.58.35.139]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp1.babolo.ru", Issuer "@BABOLO" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id ED23A1D24 for ; Fri, 4 Dec 2015 08:09:21 +0000 (UTC) (envelope-from "."@babolo.ru) Received: from cicuta.babolo.ru (cicuta.babolo.ru [194.58.246.5]) by smtp1.babolo.ru (8.14.2/8.14.2) with SMTP id tB480N79065633; Fri, 4 Dec 2015 12:00:23 +0400 (MSK) (envelope-from .@babolo.ru) Received: (nullmailer pid 16955 invoked by uid 136); Fri, 04 Dec 2015 07:06:06 -0000 Date: Fri, 4 Dec 2015 10:06:06 +0300 From: Aleksandr A Babaylov <.@babolo.ru> To: Jason Van Patten Cc: freebsd-net@freebsd.org Subject: Re: Bridge Interfaces and ARPs Message-ID: <20151204070606.GA16904@babolo.ru> References: <56604982.9010003@lateapex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56604982.9010003@lateapex.net> X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2015 08:09:22 -0000 On Thu, Dec 03, 2015 at 08:54:10AM -0500, Jason Van Patten wrote: > Hey gang - > > I posted this to the FreeBSD user forums but figured I'd send a message > off to the list to see if anyone has any input, guidance, or ideas. > Emailing diagrams around isn't good form (IMHO) but having a diagram > handy will help with the discussion. So please glance at: > > http://pics.lateapex.net/vz.png > > Background: I have a business class Verizon FIOS connection for Internet > at home. Along with that connection, I have 13 (not 14!) static IPs > from VZ. They almost fall within a proper CIDR block, but not quite: > 1.2.3.210 - 1.2.3.222. I don't own .209, so I can't claim 1.2.3.208/28 > as my IP block (dammit!) The subnet for the static IPs is a /24, and > the default route is *Verizon's* router: 1.2.3.1. > > There are a number of different choices for this network layout: DMZ, > bridging, or binat. I chose bridging so that I don't have the > complexity of binatting, and yet have some protection for the servers > via my router. So, per the drawing, the FreeBSD router's em0 is > connected to the Verizon equipment, while re0 and re1 are both connected > to a managed Cisco switch, on different VLANs. > > VLAN 10 for re0: Public IPs (public services, etc) > VLAN 20 for re1: Private IPs (NAS, wireless AP, etc) > > Via the router, VLAN 10 and Verizon's network are bridged together. The > bridge interface on the router has IP: 1.2.3.222/24 with a default route > set to 1.2.3.1. All servers on VLAN 10 have IPs within the allocated > range (.210 - .220) and the same default route. > > Now: the problem. I used the LAGG'd server as an example in the > diagram, but the same thing is happening with other servers: the router > is learning ARP entries for the IPs I own *from* Verizon's router. As > soon as the router caches that bad entry, it no longer routes traffic to > those public IPs *from* VLAN 20 (private side). So, in other words, a > laptop on the wireless network won't be able to get to 1.2.3.215. > > My work-around for now has been a series of static ARP entries on the > router for each of my public servers. That seems to work fine, but I > wonder if there's something I might be doing wrong? > > If I didn't include enough info, fire away. Thanks! May be it is proxy arp from Verison. Just delete bridge0 ifconfig em0 inet 1.2.3.222/24 ifconfig re0 inet 127.127.127.127/24 or any other fake net route add 1.2.3.210/31 -iface re0 route add 1.2.3.212/30 -iface re0 route add 1.2.3.216/30 -iface re0 route add 1.2.3.220/31 -iface re0 sysctl net.link.ether.inet.proxyall=1 Default router for your public servers 1.2.3.222 in /28 or wider net.