ARP not working on interface that does not have an IP

Andrew Chan achan at achan.com
Tue Sep 16 11:58:35 PDT 2003 

My description is lengthy but believe me, it is a "simple" problem.

Greetings,

I am trying to insert a FreeBSD Bridging Firewall into an existing office broadband network.

[[ ADSL modem / router (double as a NAT box) ]] <===>  [[ "rl0" FreeBSD "rl1" ]] <===> [[ office LAN switch ]]

"rl0" is connected to the outside ADSL box and "rl1" is connected to the internal office LAN switch

The ADSL box has an IP of 192.168.0.1 and is the default router for everybody. "rl1" has an IP of 192.168.0.2 while "rl0" does not have an IP configured.

I have 99% of everything working, including the passing of ARP (I am running ipfw2 on 5.1R). The PCs on the office internal LAN can connect to the outside world with no problem whatsoever.

The only problem is "rl0" doesn't seem to be able to look up the MAC address of 192.168.0.1 (the ADSL router) through ARP and that means any TCP/IP connections I initiated on the FreeBSD box to the outside world would fail.

? (192.168.0.1 at (incomplete) on rl1 [ethernet]

Looks like the system is expecting the ARP entry to come from rl1 while it should have been from rl0.

I ran tcpdump on "rl0" and saw both the outgoing ARP requests from the FreeBSD box and the ARP replies from 192.168.0.1. It is just the FreeBSD box never seem to get the ARP replies. This problem stays the same even when I run an "open" firewall so I am quite sure it is not something about the rules.

If I give "rl0" an IP address and leave "rl1" without one then the problem is reversed, i.e. "rl1" cannot get any ARP stuff going.

I also tried to give "rl0" an IP address of 192.168.0.3 but "ifconfig" wouldn't take it complaining about:

ifconfig: ioctl (SIOCAIFADDR): File exists

I also tried to give "rl0" an IP address from another subnet (just to fake it) say 192.168.1.1 but then FreeBSD complained about the ARP replies of 192.168.0.1 were coming from the "wrong interface". It was expecting it to come from "rl1" (who is in the network range of 192.168.0.0) instead of from "rl0" (who is NOT in the networking range of 192.168.0.0).

I think I exhausted my experience here and would really appreciate some help.

Many thanks!

Andrew

More information about the freebsd-ipfw mailing list