[Strange behavior with arp permanent entries]
ea at sellinet.net
ea at sellinet.net
Thu Feb 15 12:15:38 UTC 2007
> ea at sellinet.net wrote:
>> Hello, Guys!
>>
>> I'm trying to restrict some LAN access by arp permanent entries. But it
>> didn't work or it didn't work as I realize it. For example I have the
>> following perm entries:
>>
>>
>> user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan]
>> user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan]
>>
>>
>> And from what I realize if the user1 attempts to use user2's IP address.
>> The Router should block all packets which coming from wrong physical
>> address. But actually that didn't happen and user1 can use user2's IP
>> address without any problems.
>
> The router wont block packets coming from anyone. It should however
> prevent packets going *to* the wrong user. But that depends heavily on
> whether the layer2 network cooperates and the bad hosts network stack.
Scenario 1:
user1: 10.2.0.2 00:14:85:84:af:c8 perm
user2: 10.2.0.3 00:0f:ea:a4:60:c5 perm
User2 can't use user1's IP address.
Scenario 2:
user1: 10.2.0.2 00:0a:e6:f7:8a:81 perm
user2: 10.2.0.3 00:0f:ea:a4:60:c5 perm
User2 can use user1's IP address.
So, maybe there is some truth in your words, but why this happen? What is
the difference between two physical addresses?
>
> Tip: If you want the effect of each user having their own physical lan
> (so they can't steal each others ip addresses) you need to segregate
> them in a manner that effectively gives each user a physical lan. Vlans
> might help, if done correctly.
Unfortunately, this can't be done in our case.
>
>>
>> Maybe someone of you will advice me to use ipfw arp rules but when I
>> turn
>> net.link.ether.ipfw ON I'm getting very low performance from the router.
>> We talking about 800mbps and 600k packets per second, and many users
>> which
>> means many ipfw arp rules.
>
> Then perhaps you need to solve the problem on a different level or
> different unit? Perhaps segregate the users at edge using vlans and thus
> removing filter needs?
>
> --
> Sten Daniel Soersdal
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
--------------------------------------------------------------
SELLINET Internet Services Provider - http://www.sellinet.net/
More information about the freebsd-isp
mailing list