[Strange behavior with arp permanent entries]
Sten Daniel Soersdal
sten.daniel.sorsdal at gmail.com
Wed Feb 14 18:28:40 UTC 2007
ea at sellinet.net wrote:
> Hello, Guys!
>
> I'm trying to restrict some LAN access by arp permanent entries. But it
> didn't work or it didn't work as I realize it. For example I have the
> following perm entries:
>
>
> user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan]
> user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan]
>
>
> And from what I realize if the user1 attempts to use user2's IP address.
> The Router should block all packets which coming from wrong physical
> address. But actually that didn't happen and user1 can use user2's IP
> address without any problems.
The router wont block packets coming from anyone. It should however
prevent packets going *to* the wrong user. But that depends heavily on
whether the layer2 network cooperates and the bad hosts network stack.
Tip: If you want the effect of each user having their own physical lan
(so they can't steal each others ip addresses) you need to segregate
them in a manner that effectively gives each user a physical lan. Vlans
might help, if done correctly.
>
> Maybe someone of you will advice me to use ipfw arp rules but when I turn
> net.link.ether.ipfw ON I'm getting very low performance from the router.
> We talking about 800mbps and 600k packets per second, and many users which
> means many ipfw arp rules.
Then perhaps you need to solve the problem on a different level or
different unit? Perhaps segregate the users at edge using vlans and thus
removing filter needs?
--
Sten Daniel Soersdal
More information about the freebsd-isp
mailing list