Date: Wed, 14 Feb 2007 13:00:41 -0500 From: Sten Daniel Soersdal <sten.daniel.sorsdal@gmail.com> To: ea@sellinet.net Cc: freebsd-isp@freebsd.org Subject: Re: [Strange behavior with arp permanent entries] Message-ID: <45D34E49.8090808@gmail.com> In-Reply-To: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6> References: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6>
next in thread | previous in thread | raw e-mail | index | archive | help
ea@sellinet.net wrote: > Hello, Guys! > > I'm trying to restrict some LAN access by arp permanent entries. But it > didn't work or it didn't work as I realize it. For example I have the > following perm entries: > > > user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan] > user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan] > > > And from what I realize if the user1 attempts to use user2's IP address. > The Router should block all packets which coming from wrong physical > address. But actually that didn't happen and user1 can use user2's IP > address without any problems. The router wont block packets coming from anyone. It should however prevent packets going *to* the wrong user. But that depends heavily on whether the layer2 network cooperates and the bad hosts network stack. Tip: If you want the effect of each user having their own physical lan (so they can't steal each others ip addresses) you need to segregate them in a manner that effectively gives each user a physical lan. Vlans might help, if done correctly. > > Maybe someone of you will advice me to use ipfw arp rules but when I turn > net.link.ether.ipfw ON I'm getting very low performance from the router. > We talking about 800mbps and 600k packets per second, and many users which > means many ipfw arp rules. Then perhaps you need to solve the problem on a different level or different unit? Perhaps segregate the users at edge using vlans and thus removing filter needs? -- Sten Daniel Soersdal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45D34E49.8090808>