vlan and staticarp

[blackjack]

Hi all.
I am using FreeBSD as gate to internet.

Code:

FreeBSD router.local.net.ua 7.0-RELEASE FreeBSD 7.0-RELEASE #1: Fri Jun 13 17:26:05 EEST 2008     admin@router.local.net.ua:/usr/src/sys/i386/compile/GATE  i386

I have a 10 VLAN and two NIC

Code:

ifconfig

Code:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.21.124 netmask 0xffffff00 broadcast 172.16.21.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:1d:0f:bd:8f:7b
	inet 81.21.xx.xx1 netmask 0xfffffff8 broadcast 81.21.xx.xxx
	inet 81.21.xx.xx2 netmask 0xfffffff8 broadcast 81.21.xx.xxx
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vlan11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.24.124 netmask 0xffffff00 broadcast 172.16.24.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 11 parent interface: em0
vlan22: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.22.124 netmask 0xffffff00 broadcast 172.16.22.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 22 parent interface: em0
vlan23: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.23.124 netmask 0xffffff00 broadcast 172.16.23.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 23 parent interface: em0
vlan25: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.25.124 netmask 0xffffff00 broadcast 172.16.25.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 25 parent interface: em0
vlan26: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.26.124 netmask 0xffffff00 broadcast 172.16.26.255
	inet 192.168.101.100 netmask 0xffffff00 broadcast 192.168.101.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 26 parent interface: em0
vlan30: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.30.124 netmask 0xffffff00 broadcast 172.16.30.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 30 parent interface: em0
vlan31: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.31.124 netmask 0xffffff00 broadcast 172.16.31.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 31 parent interface: em0
vlan32: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.32.124 netmask 0xffffff00 broadcast 172.16.32.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 32 parent interface: em0
vlan33: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.33.124 netmask 0xffffff00 broadcast 172.16.33.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 33 parent interface: em0
vlan40: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.40.124 netmask 0xffffff00 broadcast 172.16.40.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 40 parent interface: em0
vlan100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.100.124 netmask 0xffffff00 broadcast 172.16.100.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 100 parent interface: em0

I create file /etc/staticarp/static.mac with IP adderss and mac address of local clients like this:

Code:

172.16.100.30 00:1d:0f:c4:10:ad pub

then set IP-MAC

Code:

arp -f /etc/staticarp/static.mac

Then i did

Code:

ifconfig vlan100 staticarp

Code:

vlan100: flags=88843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,STATICARP> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.100.124 netmask 0xffffff00 broadcast 172.16.100.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 100 parent interface: em0

And this work some time (1 hour or 2) but then all vlan stop work and ping looks like this

Code:

ping 172.16.100.52

Code:

ping: sendto: invalid argument

Code:

netstat -rn

Code:

172.16.100.1    link#34            UHLW          0        0 vlan100
....
172.16.100.254    link#34            UHLW          0        0 vlan100

I need to use this because in local network somebody arp spoof or it is a virus.
This is the log when spoofing is active.

Code:

Sep 19 19:37:29 router kernel: arp: 172.16.24.155 moved from 00:0f:ea:3b:34:91 to 00:0f:ea:f6:c3:de on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.183 moved from 00:0f:ea:3b:34:91 to 00:11:5b:7a:85:c5 on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.192 moved from 00:0f:ea:3b:34:91 to 00:02:2a:e1:e8:bf on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.218 moved from 00:0f:ea:3b:34:91 to 00:19:e0:13:cb:ee on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.220 moved from 00:0f:ea:3b:34:91 to 00:14:2a:84:be:94 on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.231 moved from 00:0f:ea:3b:34:91 to 00:0f:ea:c1:7e:41 on vlan11

Why this does not work? Why disappear route to hosts in vlan? Why arp table refresh when interface cofigured to use static record IP-MAC?
This is my topics
http://forum.lissyara.su/viewtopic.php?f=8&t=11136&p=110421&hilit=Борьба#p99856
http://www.opennet.ru/openforum/vsluhforumID1/82574.html
PS. Sorry for bad english.

 

[SirDice]

I need to use this because in local network somebody arp spoof or it is a virus.

Maybe you should fix the problem instead of the symptoms?

 

[blackjack]

It is impossible. In local network 854 clients. I can`t go to every client and control his computer.

 

[SirDice]

It is impossible. In local network 854 clients. I can`t go to every client and control his computer.

Not impossible.. We have 60.000 workstations.. It takes a bit of networking-fu to trace it through all the routers and switches. But in the end you'll know the switch and the port. After that it's just a matter of following the cable

 

[tbyte]

But there is still a problem, the thing he is doing should work.

 

[blackjack]

Its my configs.

 

[Alt]

I create file /etc/staticarp/static.mac with IP adderss and mac address of local clients like this:
Code:

172.16.100.30 00:1d:0f:c4:10:ad pub

Try records without "pub":
172.16.100.30 00:1d:0f:c4:10:ad
This option dont worked for me when i used same technique.

 

[blackjack]

No, it doesn`t work.

 

[Alt]

man arp

If the word pub is given,
the entry will be ``published''; i.e., this system
will act as an
ARP server, responding to requests for hostname even though the
host address is not its own.

Тоесть при использовании параметра pub шлюз начинает отвечать *вместо* данного айпишника. Отсюда и изменеия адресов. У меня было что при использовании ее начинались конфликты у абонентов.. Вобщем то что ты хочешь, с pub неработает=) А вообще, я так делал(без пуба) и должно работать....
Может у тебя по крону интерфейсы пересоздаются или рестартятся както?

 

[blackjack]

Ну попробую еще раз. Пусть так и будет. Если не будет работать, значит у меня карма плохая

 

[blackjack]

Any suggestion?

 

[bsdfunn]

ipguard - tool designed to protect LAN IP adress space by ARP spoofing.

ipguard listens network for ARP packets. All permitted MAC/IP pairs listed in 'ethers' file. If it recieves one with MAC/IP pair, which is not listed in 'ethers' file, it will send ARP reply with configured fake address. This will prevent not permitted host to work properly in this ethernet segment.


http://ipguard.deep.perm.ru/

 

[blackjack]

Thank you. I will try it.