From owner-freebsd-questions@FreeBSD.ORG Sat Sep 27 16:31:39 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C02316A4B3 for ; Sat, 27 Sep 2003 16:31:39 -0700 (PDT) Received: from mail.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00AE443FE5 for ; Sat, 27 Sep 2003 16:31:38 -0700 (PDT) (envelope-from nkinkade@[206.26.199.146]) Received: from mail.messagingengine.com (localhost [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id F1B8822EB00; Sat, 27 Sep 2003 19:29:13 -0400 (EDT) Received: from 10.202.2.150 ([10.202.2.150] helo=mail.messagingengine.com) by messagingengine.com with SMTP; Sat, 27 Sep 2003 19:29:14 -0400 X-Epoch: 1064705354 X-Sasl-enc: 8DSaZ2eH1MeSuWC31wRJLA Received: from [206.26.199.146] (unknown [206.26.199.146]) by www.fastmail.fm (Postfix) with ESMTP id 467AC22EAD9; Sat, 27 Sep 2003 19:29:13 -0400 (EDT) Received: from nkinkade by [206.26.199.146] with local (Exim 4.12) id 1A3IM3-0000Cr-00; Sat, 27 Sep 2003 16:55:35 +0000 Date: Sat, 27 Sep 2003 16:55:35 +0000 From: Nathan Kinkade To: Drew Tomlinson Message-ID: <20030927165534.GB696@npkfbsd> Mail-Followup-To: Drew Tomlinson , FreeBSD Questions References: <002f01c38547$10d89ef0$0301a8c0@bigdaddy> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LpQ9ahxlCli8rRTG" Content-Disposition: inline In-Reply-To: <002f01c38547$10d89ef0$0301a8c0@bigdaddy> User-Agent: Mutt/1.4.1i Sender: Nathan Kinkade cc: FreeBSD Questions Subject: Re: ARP Question - Maybe? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nathan Kinkade List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2003 23:31:39 -0000 --LpQ9ahxlCli8rRTG Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 27, 2003 at 03:31:16PM -0700, Drew Tomlinson wrote: > I'm trying to get a Linksys WET11 Wireless Ethernet Bridge working with a > D-Link 530 NIC that uses the rl driver. I have configured the bridge and > gotten it to work with a Windows XP box if I tell the bridge to use "MAC > address cloning". However I can not get it working on my 4.8 FBSD box. >=20 > I'm not really sure but I suspect my problem might be with ARP? The rl0 > interface is configured as 192.168.100.2 and the bridge is connected to t= his > interface. The bridge is configured with an IP address of 192.168.100.225 > but as I understand it, this is only the address to use when connecting to > the web based configuration utility. I have a Linksys access point with IP > of 192.168.100.1. >=20 > Anyway, after attempting connections to these three addresses, my arp tab= le > looks like this: >=20 > ? (192.168.100.1) at (incomplete) on rl0 [ethernet] > ? (192.168.100.2) at 00:05:5d:d0:ba:67 on rl0 permanent [ethernet] > ? (192.168.100.225) at (incomplete) on rl0 [ethernet] >=20 > I can not get any response from any device beyond the rl0 interface. I > setup ipfw to log all traffic to that interface and can see the traffic > going out: >=20 > Sep 27 15:18:04 blacksheep /kernel: ipfw: 50 Accept ICMP:8.0 192.168.100.2 > 192.168.100.1 out via rl0 >=20 > Sep 27 15:24:00 blacksheep /kernel: ipfw: 50 Accept ICMP:8.0 192.168.100.2 > 192.168.100.225 out via rl0 >=20 > Can anyone educate me on arp and if it's my problem, tell me what I might > need to add to my arp table to get things going? >=20 > Thanks, >=20 > Drew I had this problem recently. Turns out that ipfw when used in conjunction with bridging (net.link.ether.bridge_ipfw=3D1) that your default rule must be to allow all. You can mitigate this by making your last rule something like: deny { tcp or udp } from any to any This should basically block pretty much any traffic that you are probably worried about. To test that this is the problem, disable the firewall temporarily, maybe with something like: # sysctl net.link.ether.bridge_ipfw=3D0 then try your network. if it works, the re-enable ipfw by setting the above parameter back to 1. then take a look at your arp cache expiry with `arp -an' and make note as to wether the net breaks again as soon as the arp entry expires. you can set ipfw to use a default rule of accepting by adding this option to you kernel config: options IPFIREWALL_DEFAULT_TO_ACCEPT Nathan --=20 gpg --keyserver pgp.mit.edu --recv-keys D8527E49 --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/dcEGO0ZIEthSfkkRAnp0AJ4+9XoEN6RegtdONs6Ra4jWKr6grQCgwa+B /FwiBOIgKfN2kaMf+at0hA4= =RBtr -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG--