ARP Complaints

• Previous message: Peter Matulis: "Re: linksys wap behind obsd firewall"
• Next in thread: Malome Khomo: "Re: ARP Complaints"
• Reply: Malome Khomo: "Re: ARP Complaints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 16 Feb 2004 22:54:25 -0600

Hi folks,
    Downsizing my DMZ hosts onto one system and am having arp complaints
from the kernel.
The platform is a obsd33/sparc equipped with a QuadEther sbus card.
Initiall it had the following interfaces active:

INTERNAL INTF [SYSTEM] EXTL INTERFACE

10.66.166/216/8[qe2][SYSTEM][le0]W.X.Y.Z/29

All was OK. QE2 was used sporadically as a laptop docking station.
Then I added a second Internal and external
The external was leading to localhost and internal to a separate 10/8
network switch

10.66.166/216/8[qe2][SYSTEM][le0]W.X.Y.Z1/29
10.0.0.66/8[qe3][SYSTEM][qe0]W.X.Y.Z2/29

But nothing would route to them until I made them singleton networks

10.0.0.66/32[qe3][SYSTEM][qe0]W.X.Y.Z2/32

I also shut down the interface qe2 which was intermitently used as a
docking station.

Then the arp warnings started to come:
Mmm dd hh:mm:ss host /bsd: arp: attempt to add entry for 10.A.B.C on
qe3

Here 10.A.B.C was an internal subnet router/firewall who's netmask is
/8 so I
changed qe3's mask back to /8 and explicitly added a route directive in
hostname.qe3.

This seems to work to my satisfaction since 10.A.B.C is one hop away
from 10.0.0.66.
Until then nearby 10/8 hosts would not find 10.0.0.66, and had to be
routed to [SYSTEM]
via the outside which entailed another NAT/PF firewall.

But once I did that, arp began to complain on the external side:
Mmm dd hh:mm:ss host /bsd: arp: attempt to add entry for W.X.Y.Z3 on
le0 by EtherAdrsA qe0
Mmm dd hh:mm:ss host /bsd: arp: attempt to add entry for W.X.Y.Z4 on
le0 by EtherAdrsB qe0

EtherAdrsA and EtherAdrsB were other hosts in the DMZ, and they take the
mask to be /29

Again making the netmasks match silenced arp. Also added an explicit
second route into W.X.Y.Z:
10.0.0.66/8[qe3][SYSTEM][qe0]W.X.Y.Z2/29

But now I have two routes into W.X.Y.Z. One through le0 and the second
through qe0.
Again, as in the very begining,
I cannot 'ping' W.X.Y.Z2 from localhost ( SYSTEM console ), although
other remote hosts can.

Is this bad or will the kernel treat them as normal?
PS: Nodename/Hostname belongs to le0.

Should I route default from W.X.Y.Z2 through 127.0.0.1?

I plan to replicate this on a few sites (/w obsd34), and it would be
nice to clean this up ahead of time.

Conversely, could I revert to the singleton W.X.Y.Z2/32 on qe0 if the
Arp warnings are actually harmless?

MK

• Previous message: Peter Matulis: "Re: linksys wap behind obsd firewall"
• Next in thread: Malome Khomo: "Re: ARP Complaints"
• Reply: Malome Khomo: "Re: ARP Complaints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]