FreeBSD deny 'unusual' IP-addresses?

Patrik Forsberg patrik.forsberg at dataphone.net
Sat Jan 17 05:53:00 PST 2004 

> I work in a small ISP company. We are using FreeBSD machines 
> for routing and
> counting traffic of our clients. I faced with subject 'feature' twise:
> 
> 1) FreeBSD Server with a real ip in external interface and a 
> lot of IPs like
> 10.1.1.1/24, 172.16.13.1/24 (NOT ANY 192.168...!)on internal 
> interface. If
> someone tries to up an ANY address like 192.168.0.1/24 - our 
> server always
> talk that this address is already in use. Those clients need these
> addresses, becouse they use our LAN as transport beetween two 
> offices. I
> solved this problem by upping 192.168.1.1/16 on internal 
> server interface .

I dont quite understand this. A machine that dont have the network
segment you're trying to assign to another machine should never ever
bother about it. Nether should it complain that it is already in use..
sense it doesn't know about it at all. It might be some proxy-arp thing,
that I dont know about, that might couse that kind of behavur .. but
normally it shouldent bother sense it doesn't know about the network ..
even less the specified ip-address.

> 2) One of our client use our LAN for testing their 
> experimental hardware
> device (i don`t know what that thing do, but in connected to 
> network). For
> some unknown reason that device use a real IP-address that 
> not belongs to
> me, but they don't want to change the address(why? - I don't 
> know). Our
> server swears that this address is already in use.

This is generally a very bad idea. Two machines connected to the same
layer-2 segment should never have the same IP. Ether you or they should
change IP otherwise all kinds of havock can brake lose on the LAN.
Ofcourse your server will complain that the address is already in use..
becouse it is. Im amazed if that works at all.
The only time two equipments could have the same IP is if they are using
some kind of high-availability mode .. like vrrp or something.. but even
then the same IP aint connected at the same time to the same layer-2
segment. This is simply a NO-NO.

> I understand, that using such thing is not compliant to 
> standarts, but maybe
> someone knows how to switch off those kind of alarms?

Wouldent bet there is a way.. without kernel-hacking. It is a very basic
part of the tcp/ip core to complain about it. Like you and me complain
if a person steps into our foot-steps before we have stept out of them.

I wouldent call it a feature if you could disable it.. more like a bug
;)

Well.. I could be wrong, ofcourse.

Regards,
Patrik

More information about the freebsd-isp mailing list