Annoying arp messages won't go away!! ( from freebsd-net@freebsd.org )

Paiva, Gilson de g-paiva at el.com.br
Mon May 19 09:12:08 PDT 2003 

   Hi everybody,

   Sorry to cross-post from freebsd-net...

   I was running a freebsd machine bridging packets on 2 interfaces and
acting as my internet router without any problem.
   Last week I had to change my IP allocation and, due ipfw2 improvements
on layer2, I decided not to route packets through this machine anymore,
but have a 3 nics bridge, then the annoying "/kernel: -- loop (x)
xxarpxx to nicx from nicy (active)" is here :) .
   The moving arps are from the internet router - attached directly to ep0
- and a ras attached to xl0 . Freebsd keeps telling me the message with
this 2 arps moving between its 3 nics.
   I understanding the arp and bridge basics very well and I think this
problem has something to do with this 2 equipaments "scanning" my
network with "arp who-has" ( detected with tcpdump ).
   I even "locked" all my 128 ips arps with arp -s and arp -s pub options
but nothing changed. I tryied even to stop messages with
net.link.ether.inet.log_arp_wrong_iface=0 , again no success. No
google, no man pages, nothing I could do...

    Running 4.8-stable cvsuped and made world kernel at 15 this month,
ipfw2, 3 nics with bridge on them.

    Did anyone have anything like this or do know any tip?


I tried to make it simple, but I understand it's not that easy to mentally
draw it.

 internet_router
   |
   |
   ep0
 freebsd  rl0 -- wireless network
   xl0
   |
   |
 clients, servers and ras

before: bridge with xl0 and rl0. This box had an ip used as gateway for
internal clients.
now: bridge on all nics. Servers and clients have their ip gateway pointed
to internet_router. IP network is fine. This box has an ip so I can
administer it.

ifconfig -a
Where's status: active from xl0 and ep0 ? Both are up and running fine...
( thanks rmkml at wanadoo.fr )

 xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 	inet 200.179.xxx.xxx netmask 0xffffff80 broadcast 200.179.xxx.xxx ether
00:60:97:70:12:ec
 	media: Ethernet 10baseT/UTP (10baseT/UTP <half-duplex>)
 rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 	ether 00:40:c7:78:06:45
 	media: Ethernet autoselect (100baseTX <full-duplex>)
 	status: active
 ep0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 	ether 00:60:08:2b:bc:29
 	media: Ethernet 10baseT/UTP

I flushed all ipfw rules and loaded no custom sysctl value, problem
remains the same.A piece of my sysctl.conf, network entries:

 net.inet.icmp.log_redirect=0
 net.inet.ip.fastforwarding=1
 net.inet.ip.forwarding=1
 net.inet.ip.fw.enable=1
 net.inet.ip.fw.one_pass=0
 net.inet.ip.stealth=1
 net.inet.tcp.blackhole=2
 net.inet.tcp.keepidle=9000
 net.inet.tcp.recvspace=65536
 net.inet.tcp.sendspace=65536
 net.inet.udp.blackhole=1
 net.link.ether.bridge=1
 net.link.ether.bridge_cfg=xl0,rl0,ep0
 net.link.ether.bridge_ipfw=1
 net.link.ether.inet.log_arp_wrong_iface=0
 net.link.ether.ipfw=1


 kernel conf ?

 options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN
options         ACCEPT_FILTER_DATA
 options         ACCEPT_FILTER_HTTP
 options         IPFW2
 options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 options         IPFIREWALL_FORWARD      #enable transparent proxy support
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
 options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
 options         IPFILTER                #ipfilter support
 options         IPFILTER_LOG            #ipfilter logging
 options         IPDIVERT                #divert sockets
 options         IPSTEALTH               #support for stealth forwarding 
options         MROUTING                #Multicast routing
 options         DUMMYNET
 options         HZ=1000                 # strongly recommended
 options         RANDOM_IP_ID
 options         BRIDGE
 options         IPSEC                   #IP security
 options         IPSEC_ESP               #IP security (crypto; define w/
IPSEC)
 options         IPSEC_DEBUG             #debug for IP security
 options         ICMP_BANDLIM            #Rate limit bad replies


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Paiva, Gilson de        Domingos Martins
 mailto:npd at el.com.br    Brazil
 http://www.el.com.br/   E&L Producoes de Software
 http://www.FreeBSD.org/ FreeBSD: The Power to Serve
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


------------------------------------------------------------------------------
Aviso Legal:
Esta mensagem pode nao expressar oficialmente as ideias ou vontades da empresa
E&L Producoes de Software, sendo responsavel por esta exclusivamente seu autor.

More information about the freebsd-ipfw mailing list