Static ARP with many interfaces problem

[lokapal]

Probably, I missed something or there are exists some hidden knowledge - how can I properly use static ARP in the case of many ethernet interfaces (i.e. in almost any normal server/router)? arp command even in 8.2 doesn't have -i (interface) suboption for adding info from file or for adding pairs directly. Moreover, it always adds these pairs to the first physical ethernet listed in the system. E.g. - I have two interfaces re0 (WAN) and rl0 (LAN). I'm trying to use static ARP resolution at LAN but to no avail -
ifconfig rl0 staticarp
arp -d -i rl0 -a
and arp table for rl0 is empty.

How could I populate it with my entries - if I try to add any IP/MAC pair - it goes to first interface (re0), if I try to add -i rl0 option to -s or to -S arp tells that "this suboption is not supported".

Frankly speaking, I feel very strange - I use FBSD FreeBSD on various systems since 1995, I simply cannot believe that there is no solution for this simplest problem in the networking/server oriented OS.

P.S. - every linux has -i suboption for all arp options.

 

[ecazamir]

FreeBSD uses only one route to a specified network on a specific FIB.
arp utility seems to use the routing table to find the proper interface for a specific subnet.
I assume that you can't send ARP requests if the routing table does not have any reference to a directly connected network containing the IP adress/MAC pair you want to add.
What is the real world use of the ability to set a IP/MAC pair for a network interface if that network interface is not directly connected to that specific network?
I assume you try setting ARP 11:11:11:11:FF:11 for 192.0.2.2 on the interface named eth1, that interface having no IP address assigned into 192.0.2.0/24 range.

 

[SirDice]

I'm trying to use static ARP resolution at LAN

Why do you want to use static ARP? I mean, what are you trying to accomplish?

 

[lokapal]

Why do you want to use static ARP? I mean, what are you trying to accomplish?

I'm trying to limit the access to router/Internet from unregistered/unknown computers in the academic computing environment (no switches with VLAN/802.11 possibilities etc). I know that it can be fooled by intentionally replacing own MAC, setting known pair IP/MAC, and easy can be done by listening to the network traffic. First of all, 99% of users/computer owners don't know how to do it. Secondary, if somebody will be caught in disrupting network functionality - well, it's the administrative problem.
As a matter of fact I'm trying to replace working Mikrotik (that has this feature and it works well) with FreeBSD system.

 

[SirDice]

I'm trying to limit the access to router/Internet from unregistered/unknown computers in the academic computing environment (no switches with VLAN/802.11 possibilities etc).

Force everybody through a proxy with authentication.

Using static ARP for this purpose is going to be an administrative nightmare. You also need to realize if a computer is behind a router the MAC address will be that of the router, not the computer.

 

[lokapal]

arp utility seems to use the routing table to find the proper interface for a specific subnet.
I assume you try setting ARP 11:11:11:11:FF:11 for 192.0.2.2 on the interface named eth1, that interface having no IP address assigned into 192.0.2.0/24 range.

If it would be so, I'll be happy user/admin without any questions. The trouble is thas, as I said, FreeBSD always put IP/MAC pairs to the FIRST hardware ethernet. So my WAN that has address 193.232.xx.xx is populated by 230 pairs like 192.168.0.243 AA:BB:CC:DD:EE:FF and LAN address that has IP 192.168.0.1 have empty table at all. I'll post screenshots at Monday, right now router is reformatted temporarily

 

[lokapal]

Force everybody through a proxy with authentication.
Using static ARP for this purpose is going to be an administrative nightmare.

Well, it's working well for 6 years already, and it's definitely not nightmare, if we have not more than 400 computers (excluding WiFi notebooks). Moreover, proxy with authentication is good only for HTTP. What's about Skype/POP3/SMTP/IMAP/ICQ/Jabber/etc/etc/etc?
Anyway, to use it or not to use - it's administrative question. The software question is that I fear that FreeBSD lacks this functionality, and I definitely will not analyze IP/MAC pairs at the higher OSI level...

 

[kpa]

Static ARP definitely works here on my firewall running 9.0-RC3. In my setup rl2 is kind of secondary WAN that is just not used for anything atm, it's not the first ethernet interface in the system:

root@firewall ~ # ifconfig -l
rl0 fwe0 fwip0 rl1 rl2 vr0 plip0 lo0 pflog0

root@firewall ~ # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            a.b.c.1        UGS         0   668060    vr0
10.71.1.0/24       link#5             U           0        4    rl2
10.71.1.101        link#5             UHS         0        0    lo0
10.71.13.0/24      link#1             U           0  1040510    rl0
10.71.13.1         link#1             UHS         0    16821    lo0
a.b.c.0/19     link#11            U           0        6    vr0
a.b.c.d       link#11            UHS         0        0    lo0
127.0.0.1          link#13            UH          0      116    lo0

root@firewall ~ # ifconfig rl2 staticarp

root@firewall ~ # ifconfig rl2
rl2: flags=88843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,STATICARP> metric 0 mtu 1500
        options=3808<VLAN_MTU,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:30:18:a9:66:cd
        inet 10.71.1.101 netmask 0xffffff00 broadcast 10.71.1.255
        inet6 fe80::230:18ff:fea9:66cd%rl2 prefixlen 64 scopeid 0x5
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active


root@firewall ~ # ping 10.71.1.1
PING 10.71.1.1 (10.71.1.1): 56 data bytes
ping: sendto: Invalid argument



root@firewall ~ # arp -s 10.71.1.1 00:04:ed:67:56:44
root@firewall ~ # arp -an
? (a.b.c.86) at 00:30:18:a4:b2:f2 on vr0 permanent [ethernet]
? (a.b.c.1) at 00:1a:30:2a:a0:c0 on vr0 expires in 516 seconds [ethernet]
? (10.71.1.101) at 00:30:18:a9:66:cd on rl2 permanent [ethernet]
? (10.71.1.1) at 00:04:ed:67:56:44 on rl2 permanent [ethernet]
? (10.71.13.1) at 00:30:18:a9:66:cb on rl0 permanent [ethernet]
? (10.71.13.100) at 6c:f0:49:d3:b4:00 on rl0 expires in 772 seconds [ethernet]
? (10.71.13.102) at 00:1d:7d:03:77:6e on rl0 expires in 1194 seconds [ethernet]

root@firewall ~ # ping 10.71.1.1
PING 10.71.1.1 (10.71.1.1): 56 data bytes
64 bytes from 10.71.1.1: icmp_seq=0 ttl=64 time=1.845 ms
...

 

[ecazamir]

FreeBSD always put IP/MAC pairs to the FIRST hardware ethernet.

I doubt. read kpa's example above, rl2 is not the first interface on his system. But it is the interface configured as directly connected to a network containing the ip/mac pair added with ARP.

Anyway, MAC cloning is so trivial, so I assume using static ARP won't fix any security threats.

 

[kpa]

I guess "first" interface here refers to the one with the default route and not the first in the list that you get with $ ifconfig -l. The point still stands, you must have a route set up to the directly connected network in the routing table before you can use arp(1) to add the IP/MAC pairs.