From owner-freebsd-isp@FreeBSD.ORG Wed Feb 14 18:28:40 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CD98916A400 for ; Wed, 14 Feb 2007 18:28:40 +0000 (UTC) (envelope-from sten.daniel.sorsdal@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.231]) by mx1.freebsd.org (Postfix) with ESMTP id 9139713C4A6 for ; Wed, 14 Feb 2007 18:28:40 +0000 (UTC) (envelope-from sten.daniel.sorsdal@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so309407wxc for ; Wed, 14 Feb 2007 10:28:39 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding:from; b=AdwQl25sfRNW0U5BMVayG4/LKbryWZCayb0a1dJN5gBFXqW7B9XTVrnEzr4uczW48VbZXHT2Pa7CjFqAPPD6/KV8HqpxHJARhPWloQCXE07bVUztgdmQXg81WJdULbsrCA1r3soKbj40kbNDSq6HCYY31/Hv6ss8UCtOABidiNs= Received: by 10.90.68.15 with SMTP id q15mr1028269aga.1171476049503; Wed, 14 Feb 2007 10:00:49 -0800 (PST) Received: from ?192.168.11.5? ( [72.189.175.204]) by mx.google.com with ESMTP id 34sm1340330agc.2007.02.14.10.00.48; Wed, 14 Feb 2007 10:00:49 -0800 (PST) Message-ID: <45D34E49.8090808@gmail.com> Date: Wed, 14 Feb 2007 13:00:41 -0500 User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: ea@sellinet.net References: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6> In-Reply-To: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit From: Sten Daniel Soersdal Cc: freebsd-isp@freebsd.org Subject: Re: [Strange behavior with arp permanent entries] X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 18:28:40 -0000 ea@sellinet.net wrote: > Hello, Guys! > > I'm trying to restrict some LAN access by arp permanent entries. But it > didn't work or it didn't work as I realize it. For example I have the > following perm entries: > > > user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan] > user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan] > > > And from what I realize if the user1 attempts to use user2's IP address. > The Router should block all packets which coming from wrong physical > address. But actually that didn't happen and user1 can use user2's IP > address without any problems. The router wont block packets coming from anyone. It should however prevent packets going *to* the wrong user. But that depends heavily on whether the layer2 network cooperates and the bad hosts network stack. Tip: If you want the effect of each user having their own physical lan (so they can't steal each others ip addresses) you need to segregate them in a manner that effectively gives each user a physical lan. Vlans might help, if done correctly. > > Maybe someone of you will advice me to use ipfw arp rules but when I turn > net.link.ether.ipfw ON I'm getting very low performance from the router. > We talking about 800mbps and 600k packets per second, and many users which > means many ipfw arp rules. Then perhaps you need to solve the problem on a different level or different unit? Perhaps segregate the users at edge using vlans and thus removing filter needs? -- Sten Daniel Soersdal