From owner-freebsd-net@FreeBSD.ORG Sat Jul 5 16:57:17 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA7BD1065674 for ; Sat, 5 Jul 2008 16:57:17 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id ABE358FC0A for ; Sat, 5 Jul 2008 16:57:17 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 1E7485CDB for ; Sat, 5 Jul 2008 12:39:28 -0400 (EDT) X-Virus-Scanned: amavisd-new+ClamAV at codefab.com Received: from [192.168.1.3] (pool-96-224-166-247.nycmny.east.verizon.net [96.224.166.247]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTPSA id 8A05C5C5F for ; Sat, 5 Jul 2008 12:39:26 -0400 (EDT) Message-ID: <486FA3B1.6040806@mac.com> Date: Sat, 05 Jul 2008 12:39:13 -0400 From: Chuck Swiger User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20080703115243.GR29380@server.vk2pj.dyndns.org> <20080703190513.5CD5D5B4C@mail.bitblocks.com> <20080704023244.GH29305@verio.net> In-Reply-To: <20080704023244.GH29305@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: arplookup x.x.x.x failed: host is not on local network X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jul 2008 16:57:17 -0000 David DeSimone wrote: [ ... ] > Again, I did see these messages in my environment, but in my case, the > error was correct: The IP *was not* on the local network. The reason > being that we had multiple subnets configured on the same broadcast > domain, so the BSD box could indeed hear ARP for subnets it did not know > about. I don't know why the box feels moved to complain about this, > however. I would think it should not care. It's good practice for machines intended to be on different subnets to be in different collision domains. Seeing traffic to or from the wrong network should be considered a potential "red flag", warning that there might be a network misconfiguration that could compromise security. In particular, if you want to securely host a bunch of client machines, setting them up on individual /30 subnets using a multiport firewall or a BSD box with a couple of 4-port NIC cards, rather than a switch, is a good idea. While this situation is something which is supposedly well-suited for VLANs, in practice most switches cannot be relied upon to actually prevent traffic from leaking outside of the specified VLAN. This is more common for ARP traffic, which is sent to the all-ones MAC and may well get forwarded to all ports regardless of VLAN tagging, particularly if the switch is under load and has switched to some kind of "fast forwarding" mode or if it tends to consider all ports trunk ports by default or via dubious autolearning algorithms.... Regards, -- -Chuck