Date: Fri, 1 Dec 2023 01:01:54 -0500 From: Paul Procacci <pprocacci@gmail.com> To: Olivier <Olivier.Nicole@cs.ait.ac.th> Cc: questions@freebsd.org Subject: Re: tap interface forcing a permanent ARP association Message-ID: <CAFbbPugmB9gyKS=gXQ9yKfBHY4s6TtTKRE2mpkC8zpBjNqJObQ@mail.gmail.com> In-Reply-To: <wu7fs0mblkq.fsf@banyan.cs.ait.ac.th> References: <CAFbbPui4HpP67DD%2BKDX%2Bnn%2BXF8%2B4Z71bZeG3-M0hMxf15F7qRg@mail.gmail.com> <wu7fs0mblkq.fsf@banyan.cs.ait.ac.th>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Thu, Nov 30, 2023 at 11:20 PM Olivier <Olivier.Nicole@cs.ait.ac.th>
wrote:
> The plot thickens...
>
> Paul Procacci <pprocacci@gmail.com> writes:
>
> > [1:text/plain Show]
> >
> >
> > [2:text/html Hide Save:noname (7kB)]
> >
> > On Wed, Nov 29, 2023 at 10:35 PM Olivier <Olivier.Nicole@cs.ait.ac.th>
> > wrote:
> >
> > Hi,
> >
> > I have an OpenVPN server running on FreeBSD (13.2-p5). I have included
> > the following in /etc/rc.conf:
> >
> > cloned_interfaces="tap0 bridge0"
> > ifconfig_bridge0="addm vmx0 addm tap0"
> > ifconfig_tap0="UP"
> > openvpn_enable="YES"
> >
> > And it works fine, except that ip maps the MAC address of tap0 to the IP
> > of my web server (on another machine), and the mapping is
> > "permament":
> >
> > www.cs.ait.ac.th (10.41.170.42) at aa:bb:cc:dd:ee:ff on tap0 permanent
> > [ethernet]
> >
> > That has two adverse effects:
> > - any VPN client cannot access my web server as they would get a wrong
> > MAC address;
> > - the VPN server will sometime reply to an ARP request on my LAN,
> > providing an obviously wrong answer.
> >
> > Poking around, I found out that it was due to the "ifconfig_tap0=UP"
> > line. Further more, that line is not needed for OpenVPN to start
> > properly; so I have disabled it.
> >
> > But I would like to understand why turning up the tap interface causes
> > it to update the ARP table.
> >
> > Best regards,
> >
> > Olivier
> >
> > --
> >
> > If I'm being honest, what you're saying sounds really strange.
> > NIC vendors have prefixes assigned to them for their MAC usage and the
> > chances of collision between two machines especially since the local nic
> in
> > question is a tap is an absolute fat 0 chance.
> > -- That is, unless somewhere someone is doing something they shouldn't,
> or
> > perhaps the entire picture wasn't provided and information is missing.
>
> I have checked that the hostuuid are different and that the MAC
> addresses on both machines are different.
>
> I have conducted some more tests on a machine that has been created
> from scratch, still FreeBSD RELEASE-13.2-p5
>
> $ ifconfig tap0 create
> $ ifconfig tap0 UP
> ifconfig: WARNING: setting interface address without mask is deprecated,
> default mask may not be correct.
> $ ifconfig tap0
> tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=80000<LINKSTATE>
> ether 58:9c:fc:10:a4:65
> inet 192.41.170.42 netmask 0xffffff00 broadcast 192.41.170.255
> groups: tap
> media: Ethernet autoselect
> status: no carrier
> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>
> Does mofidy the ARP table and associates the IP of my web server to the
> MAC of the interface tap0:
>
> $ arp -a | grep 192.41.170.42
> www.cs.ait.ac.th (192.41.170.42) at 58:9c:fc:10:a4:65 on tap0 permanent
> [ethernet]
>
> While:
>
> $ ifconfig tap0 create
> $ ifconfig tap0 up
> $ ifconfig tap0
> tap0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=80000<LINKSTATE>
> ether 58:9c:fc:10:a4:65
> groups: tap
> media: Ethernet autoselect
> status: no carrier
> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>
> Doesn't:
>
> $ arp -a | grep 192.41.170.42
> $
>
> Any idea is welcome.
>
> Best regards,
>
> Olivier
>
>
The difference is shown in the flags:
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
vs
tap0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST>
UP is the *administrative state* indicator, or what you have configured the
NIC to do.
RUNNING is the *operational state* indicator, or what the NIC has actually
been able to do.
UP without RUNNING means the NIC is not detecting a link.
So what does this mean to me? I'd interpret this to mean the first tap0
you provided is connected to something while the second one isn't.
~Paul
--
__________________
:(){ :|:& };:
[-- Attachment #2 --]
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 30, 2023 at 11:20 PM Olivier <<a href="mailto:Olivier.Nicole@cs.ait.ac.th">Olivier.Nicole@cs.ait.ac.th</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The plot thickens...<br>
<br>
Paul Procacci <<a href="mailto:pprocacci@gmail.com" target="_blank">pprocacci@gmail.com</a>> writes:<br>
<br>
> [1:text/plain Show]<br>
><br>
><br>
> [2:text/html Hide Save:noname (7kB)]<br>
><br>
> On Wed, Nov 29, 2023 at 10:35 PM Olivier <<a href="mailto:Olivier.Nicole@cs.ait.ac.th" target="_blank">Olivier.Nicole@cs.ait.ac.th</a>><br>
> wrote:<br>
><br>
> Hi,<br>
><br>
> I have an OpenVPN server running on FreeBSD (13.2-p5). I have included<br>
> the following in /etc/rc.conf:<br>
><br>
> cloned_interfaces="tap0 bridge0"<br>
> ifconfig_bridge0="addm vmx0 addm tap0"<br>
> ifconfig_tap0="UP"<br>
> openvpn_enable="YES"<br>
><br>
> And it works fine, except that ip maps the MAC address of tap0 to the IP<br>
> of my web server (on another machine), and the mapping is<br>
> "permament":<br>
><br>
> <a href="http://www.cs.ait.ac.th" rel="noreferrer" target="_blank">www.cs.ait.ac.th</a> (10.41.170.42) at aa:bb:cc:dd:ee:ff on tap0 permanent<br>
> [ethernet]<br>
><br>
> That has two adverse effects:<br>
> - any VPN client cannot access my web server as they would get a wrong<br>
> MAC address;<br>
> - the VPN server will sometime reply to an ARP request on my LAN,<br>
> providing an obviously wrong answer.<br>
><br>
> Poking around, I found out that it was due to the "ifconfig_tap0=UP"<br>
> line. Further more, that line is not needed for OpenVPN to start<br>
> properly; so I have disabled it.<br>
><br>
> But I would like to understand why turning up the tap interface causes<br>
> it to update the ARP table.<br>
><br>
> Best regards,<br>
><br>
> Olivier<br>
><br>
> -- <br>
><br>
> If I'm being honest, what you're saying sounds really strange.<br>
> NIC vendors have prefixes assigned to them for their MAC usage and the<br>
> chances of collision between two machines especially since the local nic in<br>
> question is a tap is an absolute fat 0 chance.<br>
> -- That is, unless somewhere someone is doing something they shouldn't, or<br>
> perhaps the entire picture wasn't provided and information is missing.<br>
<br>
I have checked that the hostuuid are different and that the MAC<br>
addresses on both machines are different.<br>
<br>
I have conducted some more tests on a machine that has been created<br>
from scratch, still FreeBSD RELEASE-13.2-p5<br>
<br>
$ ifconfig tap0 create<br>
$ ifconfig tap0 UP<br>
ifconfig: WARNING: setting interface address without mask is deprecated,<br>
default mask may not be correct.<br>
$ ifconfig tap0<br>
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500<br>
options=80000<LINKSTATE><br>
ether 58:9c:fc:10:a4:65<br>
inet 192.41.170.42 netmask 0xffffff00 broadcast 192.41.170.255<br>
groups: tap<br>
media: Ethernet autoselect<br>
status: no carrier<br>
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL><br>
<br>
Does mofidy the ARP table and associates the IP of my web server to the<br>
MAC of the interface tap0:<br>
<br>
$ arp -a | grep 192.41.170.42<br>
<a href="http://www.cs.ait.ac.th" rel="noreferrer" target="_blank">www.cs.ait.ac.th</a> (192.41.170.42) at 58:9c:fc:10:a4:65 on tap0 permanent [ethernet]<br>
<br>
While:<br>
<br>
$ ifconfig tap0 create<br>
$ ifconfig tap0 up<br>
$ ifconfig tap0<br>
tap0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500<br>
options=80000<LINKSTATE><br>
ether 58:9c:fc:10:a4:65<br>
groups: tap<br>
media: Ethernet autoselect<br>
status: no carrier<br>
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL><br>
<br>
Doesn't:<br>
<br>
$ arp -a | grep 192.41.170.42<br>
$<br>
<br>
Any idea is welcome.<br>
<br>
Best regards,<br>
<br>
Olivier<br>
<br>
</blockquote></div><br><br>The difference is shown in the flags:<br><br>
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500<br>vs<br>
tap0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST>
<br><br>
<p>UP is the <em>administrative state</em> indicator, or what you have configured the NIC to do.<br>RUNNING is the <em>operational state</em> indicator, or what the NIC has actually been able to do.</p>
<p>UP without RUNNING means the NIC is not detecting a link.<br><br></p><p>So what does this mean to me? I'd interpret this to mean the first tap0 you provided is connected to something while the second one isn't.</p><div>~Paul<br></div><div><br></div>
<span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">__________________<br><br>:(){ :|:& };:</div></div>
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPugmB9gyKS=gXQ9yKfBHY4s6TtTKRE2mpkC8zpBjNqJObQ>