From owner-freebsd-isp@FreeBSD.ORG Thu Feb 15 12:15:38 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BD14816A400 for ; Thu, 15 Feb 2007 12:15:38 +0000 (UTC) (envelope-from ea@sellinet.net) Received: from sellinet.net (galileo.sellinet.net [82.199.192.2]) by mx1.freebsd.org (Postfix) with SMTP id 1EF4D13C491 for ; Thu, 15 Feb 2007 12:15:37 +0000 (UTC) (envelope-from ea@sellinet.net) Received: (qmail 20239 invoked by uid 1009); 15 Feb 2007 14:15:35 +0200 Received: from ea@sellinet.net by galileo by uid 1002 with qmail-scanner-1.22 (spamassassin: 3.0.3. Clear:RC:1(127.0.0.1):. Processed in 0.05792 secs); 15 Feb 2007 12:15:35 -0000 Received: from unknown (HELO z.sellinet.net) (127.0.0.1) by localhost with SMTP; 15 Feb 2007 14:15:35 +0200 Received: from 82.199.192.218 (SquirrelMail authenticated user ea@sellinet.net); by z.sellinet.net with HTTP; Thu, 15 Feb 2007 14:15:35 +0200 (EET) Message-ID: <33702.82.199.192.218.1171541735.squirrel@82.199.192.218> In-Reply-To: <45D34E49.8090808@gmail.com> References: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6> <45D34E49.8090808@gmail.com> Date: Thu, 15 Feb 2007 14:15:35 +0200 (EET) From: ea@sellinet.net To: "Sten Daniel Soersdal" User-Agent: SquirrelMail/1.4.2 X-Mailer: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=windows-1251 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-isp@freebsd.org Subject: Re: [Strange behavior with arp permanent entries] X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2007 12:15:38 -0000 > ea@sellinet.net wrote: >> Hello, Guys! >> >> I'm trying to restrict some LAN access by arp permanent entries. But it >> didn't work or it didn't work as I realize it. For example I have the >> following perm entries: >> >> >> user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan] >> user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan] >> >> >> And from what I realize if the user1 attempts to use user2's IP address. >> The Router should block all packets which coming from wrong physical >> address. But actually that didn't happen and user1 can use user2's IP >> address without any problems. > > The router wont block packets coming from anyone. It should however > prevent packets going *to* the wrong user. But that depends heavily on > whether the layer2 network cooperates and the bad hosts network stack. Scenario 1: user1: 10.2.0.2 00:14:85:84:af:c8 perm user2: 10.2.0.3 00:0f:ea:a4:60:c5 perm User2 can't use user1's IP address. Scenario 2: user1: 10.2.0.2 00:0a:e6:f7:8a:81 perm user2: 10.2.0.3 00:0f:ea:a4:60:c5 perm User2 can use user1's IP address. So, maybe there is some truth in your words, but why this happen? What is the difference between two physical addresses? > > Tip: If you want the effect of each user having their own physical lan > (so they can't steal each others ip addresses) you need to segregate > them in a manner that effectively gives each user a physical lan. Vlans > might help, if done correctly. Unfortunately, this can't be done in our case. > >> >> Maybe someone of you will advice me to use ipfw arp rules but when I >> turn >> net.link.ether.ipfw ON I'm getting very low performance from the router. >> We talking about 800mbps and 600k packets per second, and many users >> which >> means many ipfw arp rules. > > Then perhaps you need to solve the problem on a different level or > different unit? Perhaps segregate the users at edge using vlans and thus > removing filter needs? > > -- > Sten Daniel Soersdal > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > -------------------------------------------------------------- SELLINET Internet Services Provider - http://www.sellinet.net/