Re: [Strange behavior with arp permanent entries]

ea@xxxxxxxxxxxx wrote:
Hello, Guys!

I'm trying to restrict some LAN access by arp permanent entries. But it
didn't work or it didn't work as I realize it. For example I have the
following perm entries:


user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan]
user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan]


And from what I realize if the user1 attempts to use user2's IP address.
The Router should block all packets which coming from wrong physical
address. But actually that didn't happen and user1 can use user2's IP
address without any problems.

The router wont block packets coming from anyone. It should however
prevent packets going *to* the wrong user. But that depends heavily on
whether the layer2 network cooperates and the bad hosts network stack.

Scenario 1:

user1: 10.2.0.2 00:14:85:84:af:c8 perm
user2: 10.2.0.3 00:0f:ea:a4:60:c5 perm

User2 can't use user1's IP address.

Scenario 2:

user1: 10.2.0.2 00:0a:e6:f7:8a:81 perm
user2: 10.2.0.3 00:0f:ea:a4:60:c5 perm

User2 can use user1's IP address.

So, maybe there is some truth in your words, but why this happen? What is
the difference between two physical addresses?



Tip: If you want the effect of each user having their own physical lan
(so they can't steal each others ip addresses) you need to segregate
them in a manner that effectively gives each user a physical lan. Vlans
might help, if done correctly.


Unfortunately, this can't be done in our case.




Maybe someone of you will advice me to use ipfw arp rules but when I
turn
net.link.ether.ipfw ON I'm getting very low performance from the router.
We talking about 800mbps and 600k packets per second, and many users
which
means many ipfw arp rules.

Then perhaps you need to solve the problem on a different level or
different unit? Perhaps segregate the users at edge using vlans and thus
removing filter needs?

--
Sten Daniel Soersdal
_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"




--------------------------------------------------------------
SELLINET Internet Services Provider - http://www.sellinet.net/

_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: [Strange behavior with arp permanent entries]
    ... I'm trying to restrict some LAN access by arp permanent entries. ... The router wont block packets coming from anyone. ... Maybe someone of you will advice me to use ipfw arp rules but when I turn ...
    (freebsd-isp)
  • Re: martian source: any IP gurus?
    ... I suspect this is your local LAN, ... and look for these martian packets. ... Expert 0rks up the configuration of the domain controller or DHCP server so ... bad that even windoze boxes can't get a DHCP lease. ...
    (alt.os.linux.suse)
  • Re: Feasible to implement a router on a system on a chip?
    ... Or between a LAN and WAN? ... A "bridge" is a device that has two or more network ports, and which passes traffic between the ports (which may be of different types - ... no filtering or interpretation of the packets is done. ... A "router" has two or more network ports and passes packets between them based on their IP addresses, ...
    (comp.arch.embedded)
  • Re: Wired detection of rogue access points
    ... Not at all - if you use the LAN based component of the Airtight unit to send packets to all the MAC addresses visible on that wired network, then any bridging devices (eg Wireless APs) should transmit these packets into the air, and the wireless component of Airtight would pick these up and identify the presence of a wireless device connected to your LAN. ... Wired detection of rogue access points ...
    (Focus-IDS)
  • Re: Testing other prots and layers.
    ... the HSRP is being spoken. ... This protocol does not provide security. ... intruder on the LAN. ... outside the LAN as most routers will not forward packets addressed to ...
    (Pen-Test)