[gentoo-user] ARP-Caching of non-link-local adresses

[gentoo-user] ARP-Caching of non-link-local adresses

[Peter Pan]

[-- Attachment #1.1: Type: text/plain, Size: 2374 bytes --]

Hi list, 

 

I'm kind of despair. 

The history: We recently brought up a new firewall with Gentoo.

There are (for my finding) some big nets behind this firewall (1x public
/24, 2x public /27, 1x public /26, at least 2 private /24).

Filtering is done via iptables and snort should jump as IPS on
software-bridge br0. If it helps: There is also ip rule involved for
source-based routing.

 

The new firewall replaces an older Gentoo-system which did not show this
behavior. We therefore copied several configfiles from the old to the new
one.

 

After getting it live, it runs well for a few hours and then becomes
unreachable (also for hosts behind the bridge).

Dmesg / kern.log stated at this time a neighbor table overflow and indeed,
arp -n | wc -l showed a lot of entry's. 

 

As Google suggested, We then adjusted /proc/sys/net/ipv4/neigh/default/ to:

gc_thershold1 -> 8192

gc_thershold2 -> 16384

gc_thershold3 -> 32768

 

Fireing an "arp -d $bogus-ip-adress" is failing with "SIOCDARP(dontpub):
Network is unreachable", adding -i br0 doesn't fail, but does not remove the
line in the arp-table (it only says "incomplete" after greping arp -n
again)..

Therefore we are currently killing the arp-cache  with "ip link set arp off
dev br0 && ip link set arp on dev br0" by a cronjob.

 

The combination of these workarounds are keeping the firewall reachable and
"alive".

                   

After stabilizing, we looked at the output of arp -n and noticed, that about
99(.999)% of the roundabout 11.000 (and rising) arp-cache-entry's contained
public addresses for which the bridge of the firewall should not feel
responsible (e.g. the public Google-dns-resolver and a load of more). 

The MAC-entry for these public addresses is always the one of our router,
which is for sure the correct next hop. 

 

But from my understanding,  it should arp-cache only "our" net's directly at
the cable and not those public ones. 

It looks like a configuration-issue, but I don't know, where to start
looking. I've already checked the default-gateway, netmasks,
broadcast-addresses and to me, they are looking fine, so any poke where to
start looking is greatly appreciated.

 

In case it will help, I attached the /etc/conf.d/net, ifconfig -a and route
-n. 

If something else is needed, feel free to ask. 

 

Hope, anyone can help.

 

Thanks in advance,

Ralf


[-- Attachment #1.2: Type: text/html, Size: 6310 bytes --]

[-- Attachment #2: route-n.txt --]
[-- Type: text/plain, Size: 1342 bytes --]

host ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         89.XXX.XXX.3    0.0.0.0         UG    0      0        0 br0
10.23.42.2      0.0.0.0         255.255.255.255 UH    0      0        0 ppp1
87.186.224.50   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
89.XXX.XXX.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
134.XX.X.0      0.0.0.0         255.255.255.0   U     0      0        0 lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 lan
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 mgm
192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 tun1
192.168.42.0    0.0.0.0         255.255.255.0   U     0      0        0 tun1
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 wlan
213.XXX.140.0   0.0.0.0         255.255.255.224 U     0      0        0 br0
213.XXX.141.96  0.0.0.0         255.255.255.224 U     0      0        0 br0
213.XXX.143.128 0.0.0.0         255.255.255.192 U     0      0        0 br0

[-- Attachment #3: net.txt --]
[-- Type: text/plain, Size: 3011 bytes --]

modules=( "iproute2" )

config_dsl="null"

config_lan="192.168.1.110 netmask 255.255.255.0 brd 192.168.1.255
        134.XX.X.102 netmask 255.255.255.240 brd 134.XX.X.111
        134.XX.X.103 netmask 255.255.255.240 brd 134.XX.X.111
        134.XX.X.104 netmask 255.255.255.240 brd 134.XX.X.111
        134.XX.X.105 netmask 255.255.255.240 brd 134.XX.X.111
        134.XX.X.106 netmask 255.255.255.240 brd 134.XX.X.111
        134.XX.X.107 netmask 255.255.255.240 brd 134.XX.X.111
        134.XX.X.108 netmask 255.255.255.240 brd 134.XX.X.111
        134.XX.X.109 netmask 255.255.255.240 brd 134.XX.X.111
        134.XX.X.110 netmask 255.255.255.240 brd 134.XX.X.111"

config_mgm="192.168.2.254 netmask 255.255.255.0 brd 192.168.2.255"

config_dmz="null"

config_isp="null"

config_wlan="192.168.254.254 netmask 255.255.255.0 brd 192.168.254.255"

dns_domain_lan="herp.derp.local"
dns_servers_lan="192.168.1.XXX 192.168.1.XXY"
dns_search_lan="herp.derp.local"

#-----------------------------------------------------------------------------
# Bridging (802.1d)
bridge_br0="dmz isp"
config_br0="89.XXX.XXX.4 netmask 255.255.255.0 brd 89.XXX.XXX.255
                89.XXX.XXX.10 netmask 255.255.255.0 brd 89.XXX.XXX.255
                89.XXX.XXX.12 netmask 255.255.255.0 brd 89.XXX.XXX.255
                89.XXX.XXX.13 netmask 255.255.255.0 brd 89.XXX.XXX.255
                89.XXX.XXX.38 netmask 255.255.255.0 brd 89.XXX.XXX.255
                89.XXX.XXX.86 netmask 255.255.255.0 brd 89.XXX.XXX.255
                213.XXX.140.2 netmask 255.255.255.224 brd 213.XXX.140.31
                213.XXX.140.30 netmask 255.255.255.224 brd 213.XXX.140.31
                213.XXX.141.126 netmask 255.255.255.224 brd 213.XXX.141.127
                213.XXX.143.132 netmask 255.255.255.192 brd 213.XXX.143.191
                213.XXX.143.133 netmask 255.255.255.192 brd 213.XXX.143.191
                213.XXX.141.119 netmask 255.255.255.224 brd 213.XXX.141.127
                213.XXX.143.150 netmask 255.255.255.192 brd 213.XXX.143.191
                213.XXX.143.151 netmask 255.255.255.192 brd 213.XXX.143.191
                213.XXX.143.152 netmask 255.255.255.192 brd 213.XXX.143.191
                213.XXX.143.153 netmask 255.255.255.192 brd 213.XXX.143.191
                213.XXX.143.154 netmask 255.255.255.192 brd 213.XXX.143.191"

routes_br0="default via 89.XXX.XXX.3"

depend_br0() {
        before firewall
        need net.dmz net.ISP
        after net.dmz net.ISP
}

postup() {
        if [ "${IFACE}" = "isp" ]; then
                ebegin "Setting Interface ISP to 100 mbit full duplex..."
                /usr/sbin/ethtool -s isp speed 100 duplex full autoneg off
                eend $? "Can't set ISP-Settings!"
        fi

        if [ "${IFACE}" = "ppp0" ]; then
                ebegin "Adding rule"
                ip rule add from 192.168.1.0/24 table lan &>/dev/null
                eend $? "Can't set rule!"
        fi

}

[-- Attachment #4: ifconfig-a.txt --]
[-- Type: text/plain, Size: 5849 bytes --]

br0       Link encap:Ethernet  HWaddr 00:11:85:d6:71:8f
          inet addr:89.XXX.XXX.4  Bcast:89.XXX.XXX.255  Mask:255.255.255.0
          inet6 addr: fe80::211:85ff:fed6:718f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21543996 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21869156 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10737947552 (10.0 GiB)  TX bytes:10378221148 (9.6 GiB)

dmz       Link encap:Ethernet  HWaddr 00:11:85:d6:71:8f
          inet6 addr: fe80::211:85ff:fed6:718f/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:36445517 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27841566 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:31903525471 (29.7 GiB)  TX bytes:4987550990 (4.6 GiB)
          Interrupt:26

dsl       Link encap:Ethernet  HWaddr 00:1b:21:0f:41:41
          inet6 addr: fe80::21b:21ff:fe0f:4141/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2461659 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1701781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2384306133 (2.2 GiB)  TX bytes:240457064 (229.3 MiB)

lan       Link encap:Ethernet  HWaddr 00:11:85:d6:71:90
          inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::211:85ff:fed6:7190/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16518448 errors:0 dropped:5243 overruns:0 frame:0
          TX packets:19568947 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4005459306 (3.7 GiB)  TX bytes:8126688260 (7.5 GiB)
          Interrupt:25

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:21543 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21543 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1992380 (1.9 MiB)  TX bytes:1992380 (1.9 MiB)

mgm       Link encap:Ethernet  HWaddr 00:1b:21:0f:41:43
          inet addr:192.168.2.254  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:79.XXX.XXX.XXX  P-t-P:87.186.224.50  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2442227 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1682611 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:2319551313 (2.1 GiB)  TX bytes:201220349 (191.8 MiB)

ppp1      Link encap:Point-to-Point Protocol
          inet addr:10.XX.XX.X  P-t-P:10.XX.XX.X  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:110038 errors:0 dropped:0 overruns:0 frame:0
          TX packets:81827 errors:180 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:9280361 (8.8 MiB)  TX bytes:28518226 (27.1 MiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.9.1  P-t-P:192.168.9.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:265876 errors:0 dropped:0 overruns:0 frame:0
          TX packets:289363 errors:0 dropped:64 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:47003700 (44.8 MiB)  TX bytes:151698442 (144.6 MiB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.42.1  P-t-P:192.168.42.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:8516 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8559 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2155733 (2.0 MiB)  TX bytes:3801803 (3.6 MiB)

isp	  Link encap:Ethernet  HWaddr 00:1b:21:0f:41:40
          inet6 addr: fe80::21b:21ff:fe0f:4140/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:25014276 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30773696 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6270023327 (5.8 GiB)  TX bytes:31096527998 (28.9 GiB)

wlan      Link encap:Ethernet  HWaddr 00:1b:21:0f:41:42
          inet addr:192.168.254.254  Bcast:192.168.254.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:21ff:fe0f:4142/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:350673 errors:0 dropped:0 overruns:0 frame:0
          TX packets:467172 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:49669601 (47.3 MiB)  TX bytes:207668041 (198.0 MiB)

Re: [gentoo-user] ARP-Caching of non-link-local adresses

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 2677 bytes --]

On Jan 4, 2012 11:20 PM, "Peter Pan" <osaka@gmx.net> wrote:
>
> Hi list,
>
>
>
> I’m kind of despair.
>
> The history: We recently brought up a new firewall with Gentoo.
>
> There are (for my finding) some big nets behind this firewall (1x public
/24, 2x public /27, 1x public /26, at least 2 private /24).
>
> Filtering is done via iptables and snort should jump as IPS on
software-bridge br0. If it helps: There is also ip rule involved for
source-based routing.
>
>
>
> The new firewall replaces an older Gentoo-system which did not show this
behavior. We therefore copied several configfiles from the old to the new
one.
>
>
>
> After getting it live, it runs well for a few hours and then becomes
unreachable (also for hosts behind the bridge).
>
> Dmesg / kern.log stated at this time a neighbor table overflow and
indeed, arp –n | wc –l showed a lot of entry’s.
>
>
>
> As Google suggested, We then adjusted /proc/sys/net/ipv4/neigh/default/
to:
>
> gc_thershold1 -> 8192
>
> gc_thershold2 -> 16384
>
> gc_thershold3 -> 32768
>
>
>
> Fireing an “arp –d $bogus-ip-adress” is failing with „SIOCDARP(dontpub):
Network is unreachable”, adding –i br0 doesn’t fail, but does not remove
the line in the arp-table (it only says “incomplete” after greping arp -n
again)..
>
> Therefore we are currently killing the arp-cache  with “ip link set arp
off dev br0 && ip link set arp on dev br0” by a cronjob.
>
>
>
> The combination of these workarounds are keeping the firewall reachable
and “alive”.
>
>
>
> After stabilizing, we looked at the output of arp –n and noticed, that
about 99(.999)% of the roundabout 11.000 (and rising) arp-cache-entry’s
contained public addresses for which the bridge of the firewall should not
feel responsible (e.g. the public Google-dns-resolver and a load of more).
>
> The MAC-entry for these public addresses is always the one of our router,
which is for sure the correct next hop.
>
>
>
> But from my understanding,  it should arp-cache only “our” net’s directly
at the cable and not those public ones.
>
> It looks like a configuration-issue, but I don’t know, where to start
looking. I’ve already checked the default-gateway, netmasks,
broadcast-addresses and to me, they are looking fine, so any poke where to
start looking is greatly appreciated.
>
>
>
> In case it will help, I attached the /etc/conf.d/net, ifconfig –a and
route -n.
>
> If something else is needed, feel free to ask.
>
>
>
> Hope, anyone can help.
>

Try turning off proxy ARP on the internal and/or external interfaces.

Rgds,

[-- Attachment #2: Type: text/html, Size: 3279 bytes --]

Re: [gentoo-user] ARP-Caching of non-link-local adresses

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 3106 bytes --]

On Jan 5, 2012 12:28 AM, "Pandu Poluan" <pandu@poluan.info> wrote:
>
>
> On Jan 4, 2012 11:20 PM, "Peter Pan" <osaka@gmx.net> wrote:
> >
> > Hi list,
> >
> >
> >
> > I’m kind of despair.
> >
> > The history: We recently brought up a new firewall with Gentoo.
> >
> > There are (for my finding) some big nets behind this firewall (1x
public /24, 2x public /27, 1x public /26, at least 2 private /24).
> >
> > Filtering is done via iptables and snort should jump as IPS on
software-bridge br0. If it helps: There is also ip rule involved for
source-based routing.
> >
> >
> >
> > The new firewall replaces an older Gentoo-system which did not show
this behavior. We therefore copied several configfiles from the old to the
new one.
> >
> >
> >
> > After getting it live, it runs well for a few hours and then becomes
unreachable (also for hosts behind the bridge).
> >
> > Dmesg / kern.log stated at this time a neighbor table overflow and
indeed, arp –n | wc –l showed a lot of entry’s.
> >
> >
> >
> > As Google suggested, We then adjusted /proc/sys/net/ipv4/neigh/default/
to:
> >
> > gc_thershold1 -> 8192
> >
> > gc_thershold2 -> 16384
> >
> > gc_thershold3 -> 32768
> >
> >
> >
> > Fireing an “arp –d $bogus-ip-adress” is failing with
„SIOCDARP(dontpub): Network is unreachable”, adding –i br0 doesn’t fail,
but does not remove the line in the arp-table (it only says “incomplete”
after greping arp -n again)..
> >
> > Therefore we are currently killing the arp-cache  with “ip link set arp
off dev br0 && ip link set arp on dev br0” by a cronjob.
> >
> >
> >
> > The combination of these workarounds are keeping the firewall reachable
and “alive”.
> >
> >
> >
> > After stabilizing, we looked at the output of arp –n and noticed, that
about 99(.999)% of the roundabout 11.000 (and rising) arp-cache-entry’s
contained public addresses for which the bridge of the firewall should not
feel responsible (e.g. the public Google-dns-resolver and a load of more).
> >
> > The MAC-entry for these public addresses is always the one of our
router, which is for sure the correct next hop.
> >
> >
> >
> > But from my understanding,  it should arp-cache only “our” net’s
directly at the cable and not those public ones.
> >
> > It looks like a configuration-issue, but I don’t know, where to start
looking. I’ve already checked the default-gateway, netmasks,
broadcast-addresses and to me, they are looking fine, so any poke where to
start looking is greatly appreciated.
> >
> >
> >
> > In case it will help, I attached the /etc/conf.d/net, ifconfig –a and
route -n.
> >
> > If something else is needed, feel free to ask.
> >
> >
> >
> > Hope, anyone can help.
> >
>
> Try turning off proxy ARP on the internal and/or external interfaces.
>

Bah, tapped "Send" accidentally. Here's a reference on turning ON Proxy ARP:

http://www.sjdjweis.com/linux/proxyarp/

Use "echo 0" to turn off.

If it works, make the concomitant changes in /etc/sysctl.conf

Rgds,

[-- Attachment #2: Type: text/html, Size: 4094 bytes --]

Re: [gentoo-user] ARP-Caching of non-link-local adresses

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 232 bytes --]

On Jan 4, 2012 11:20 PM, "Peter Pan" <osaka@gmx.net> wrote:
>
> Hi list,
>

----- >8 snip

Can you post the output of "ip rule sh"?

And for every table listed in the above, post the output of "ip route sh
table $TABLENAME"?

Rgds,

[-- Attachment #2: Type: text/html, Size: 368 bytes --]

AW: [gentoo-user] ARP-Caching of non-link-local adresses

[Peter Pan]

[-- Attachment #1: Type: text/plain, Size: 3529 bytes --]

Hi Pandu, 

 

thanks for your reply.

As far as I can see, proxy_arp is not enabled on any interfaces:

 

host conf # pwd

/proc/sys/net/ipv4/conf

Host conf # for f in $(find  | grep -i proxy_arp | grep -v pvlan ); do echo $f && cat $f ;done

./all/proxy_arp

0

./default/proxy_arp

0

./lo/proxy_arp

0

./sit0/proxy_arp

0

./lan/proxy_arp

0

./dmz/proxy_arp

0

./isp/proxy_arp

0

./dsl/proxy_arp

0

./wlan/proxy_arp

0

./mgm/proxy_arp

0

./br0/proxy_arp

0

./ppp0/proxy_arp

0

./tun1/proxy_arp

0

./tun0/proxy_arp

0

 

Regards,

Ralf

 

Von: Pandu Poluan [mailto:pandu@poluan.info] 
Gesendet: Mittwoch, 4. Januar 2012 18:29
An: gentoo-user@lists.gentoo.org
Betreff: Re: [gentoo-user] ARP-Caching of non-link-local adresses

 


On Jan 4, 2012 11:20 PM, "Peter Pan" <osaka@gmx.net> wrote:
>
> Hi list,
>
>  
>
> I’m kind of despair.
>
> The history: We recently brought up a new firewall with Gentoo.
>
> There are (for my finding) some big nets behind this firewall (1x public /24, 2x public /27, 1x public /26, at least 2 private /24).
>
> Filtering is done via iptables and snort should jump as IPS on software-bridge br0. If it helps: There is also ip rule involved for source-based routing.
>
>  
>
> The new firewall replaces an older Gentoo-system which did not show this behavior. We therefore copied several configfiles from the old to the new one.
>
>  
>
> After getting it live, it runs well for a few hours and then becomes unreachable (also for hosts behind the bridge).
>
> Dmesg / kern.log stated at this time a neighbor table overflow and indeed, arp –n | wc –l showed a lot of entry’s.
>
>  
>
> As Google suggested, We then adjusted /proc/sys/net/ipv4/neigh/default/ to:
>
> gc_thershold1 -> 8192
>
> gc_thershold2 -> 16384
>
> gc_thershold3 -> 32768
>
>  
>
> Fireing an “arp –d $bogus-ip-adress” is failing with „SIOCDARP(dontpub): Network is unreachable”, adding –i br0 doesn’t fail, but does not remove the line in the arp-table (it only says “incomplete” after greping arp -n again)..
>
> Therefore we are currently killing the arp-cache  with “ip link set arp off dev br0 && ip link set arp on dev br0” by a cronjob.
>
>  
>
> The combination of these workarounds are keeping the firewall reachable and “alive”.
>
>                   
>
> After stabilizing, we looked at the output of arp –n and noticed, that about 99(.999)% of the roundabout 11.000 (and rising) arp-cache-entry’s contained public addresses for which the bridge of the firewall should not feel responsible (e.g. the public Google-dns-resolver and a load of more).
>
> The MAC-entry for these public addresses is always the one of our router, which is for sure the correct next hop.
>
>  
>
> But from my understanding,  it should arp-cache only “our” net’s directly at the cable and not those public ones.
>
> It looks like a configuration-issue, but I don’t know, where to start looking. I’ve already checked the default-gateway, netmasks, broadcast-addresses and to me, they are looking fine, so any poke where to start looking is greatly appreciated.
>
>  
>
> In case it will help, I attached the /etc/conf.d/net, ifconfig –a and route -n.
>
> If something else is needed, feel free to ask.
>
>  
>
> Hope, anyone can help.
>

Try turning off proxy ARP on the internal and/or external interfaces.

Rgds,


[-- Attachment #2: Type: text/html, Size: 8934 bytes --]

AW: [gentoo-user] ARP-Caching of non-link-local adresses

[Peter Pan]

[-- Attachment #1: Type: text/plain, Size: 7665 bytes --]

Hi, 

 

This is quite a large list with lots of hosts, but even grep –v the larger /24-ones leaves the arp-table up to 10.000…

I’ve also heared (but never understood), that the lo-interface should be up and running. This is true in this case, but I noticed, the routes for 127.0.0.1 are missing in some tables. 

I slightly doubt,  that this is the root-cause for the exploding arp-cache, but I though it’s worth mentioning.

 

Thanks for your help, and regards,

 

here is the output:

 

host ~ # ip rule sh

0:      from all lookup local

32717:  from 192.168.254.0/24 lookup wlan

32718:  from 192.168.1.30 lookup dmz

32719:  from 192.168.1.129 lookup dmz

32720:  from 192.168.1.118 lookup dmz

32721:  from 192.168.1.117 lookup dmz

32722:  from 192.168.1.106 lookup owa

32723:  from 192.168.1.105 lookup dmz

32724:  from 192.168.1.103 lookup dmz

32725:  from 192.168.1.100 lookup dmz

32726:  from 192.168.1.99 lookup dmz

32727:  from 192.168.1.76 lookup dmz

32728:  from 192.168.1.56 lookup dmz

32729:  from 192.168.1.48 lookup dmz

32730:  from 192.168.1.39 lookup dmz

32731:  from 192.168.1.25 lookup dmz

32732:  from 192.168.1.24 lookup dmz

32733:  from 192.168.1.23 lookup dmz

32734:  from 213.XXX.143.128/26 lookup dmz

32735:  from 213.XXX.141.96/27 lookup dmz

32736:  from 213.XXX.140.0/27 lookup dmz

32737:  from 89.XXX.XXX.0/24 lookup dmz

32738:  from 10.23.47.0/24 lookup voip

32739:  from 10.23.42.0/24 lookup vpn2

32741:  from 192.168.1.0/24 lookup lan

32742:  from 192.168.1.30 lookup dmz

32743:  from 192.168.1.129 lookup dmz

32744:  from 192.168.1.118 lookup dmz

32745:  from 192.168.1.117 lookup dmz

32746:  from 192.168.1.106 lookup owa

32747:  from 192.168.1.105 lookup dmz

32748:  from 192.168.1.103 lookup dmz

32749:  from 192.168.1.100 lookup dmz

32750:  from 192.168.1.99 lookup dmz

32751:  from 192.168.1.76 lookup dmz

32752:  from 192.168.1.56 lookup dmz

32753:  from 192.168.1.48 lookup dmz

32754:  from 192.168.1.39 lookup dmz

32755:  from 192.168.1.25 lookup dmz

32756:  from 192.168.1.24 lookup dmz

32757:  from 192.168.1.23 lookup dmz

32758:  from 213.XXX.XXX.128/26 lookup dmz

32759:  from 213.XXX.XXX.96/27 lookup dmz

32760:  from 213.XXX.XXX.0/27 lookup dmz

32761:  from 89.XXX.XXX.0/24 lookup dmz

32762:  from 10.23.47.0/24 lookup voip

32763:  from 10.23.42.0/24 lookup vpn2

32765:  from 192.168.1.0/24 lookup lan

32766:  from all lookup main

32767:  from all lookup default

 

table wlan

host ~ # ip route show table wlan

default dev ppp0  scope link

89.XXX.XXX.0/24 dev br0  scope link

127.0.0.0/8 dev lo  scope link

192.168.1.0/24 dev lan  scope link

192.168.51.0/24 via 89.XXX.XXX.82 dev br0

192.168.52.0/24 via 89.XXX.XXX.82 dev br0

192.168.53.0/24 via 89.XXX.XXX.82 dev br0

192.168.113.0/24 via 192.168.1.113 dev lan

192.168.254.0/24 dev wlan  scope link

213.XXX.140.0/27 dev br0  scope link

213.XXX.141.96/27 dev br0  scope link

213.XXX.143.128/26 dev br0  scope link

 

table dmz

host ~ # ip route show table dmz

default dev br0  scope link

89.XXX.XXX.0/24 dev br0  scope link

127.0.0.0/8 dev lo  scope link

192.168.1.0/24 dev lan  scope link

192.168.7.0/24 dev tun0  scope link

192.168.9.0/24 dev tun0  scope link

192.168.20.0/24 dev tun1  scope link

192.168.42.0/24 dev tun1  scope link

192.168.51.0/24 via 89.XXX.XXX.82 dev br0

192.168.52.0/24 via 89.XXX.XXX.82 dev br0

192.168.53.0/24 via 89.XXX.XXX.82 dev br0

192.168.113.0/24 via 192.168.1.113 dev lan

192.168.254.0/24 dev wlan  scope link

213.XXX.140.0/27 dev br0  scope link

213.XXX.141.96/27 dev br0  scope link

213.XXX.143.128/26 dev br0  scope link

 

table owa

host ~ # ip route show table owa

default dev br0  scope link

89.XXX.XXX.0/24 dev br0  scope link

127.0.0.0/8 dev lo  scope link

192.168.1.0/24 dev lan  scope link

192.168.7.0/24 dev tun0  scope link

192.168.9.0/24 dev tun0  scope link

192.168.20.0/24 dev tun1  scope link

192.168.42.0/24 dev tun1  scope link

192.168.51.0/24 via 89.XXX.XXX.82 dev br0

192.168.52.0/24 via 89.XXX.XXX.82 dev br0

192.168.53.0/24 via 89.XXX.XXX.82 dev br0

192.168.113.0/24 via 192.168.1.113 dev lan

213.XXX.140.0/27 dev br0  scope link

213.XXX.141.96/27 dev br0  scope link

213.XXX.143.128/26 dev br0  scope link

 

table voip

host ~ # ip route show table voip

default dev lan  scope link

192.168.1.0/24 dev lan  scope link

 

table vpn2

host ~ # ip route show table vpn2

192.168.1.0/24 dev lan  scope link

213.XXX.140.0/27 dev br0  scope link

213.XXX.141.96/27 dev br0  scope link

213.XXX.143.128/28 dev br0  scope link

 

table lan

host ~ # ip route show table lan

default dev ppp0  scope link

46.137.XXX.148 dev br0  scope link

46.137.XXX.212 dev br0  scope link

62.52.XX.252 dev br0  scope link

62.XXX.14.0/24 dev br0  scope link

62.XXX.192.204 dev br0  scope link

78.46.XXX.24/29 dev br0  scope link

80.153.XX.139 dev br0  scope link

81.137.XX.94 dev br0  scope link

83.104.XXX.105 dev br0  scope link

89.XXX.XXX.0/24 dev br0  scope link

127.0.0.0/8 dev lo  scope link

192.168.1.0/24 dev lan  scope link

192.168.7.0/24 dev tun0  scope link

192.168.9.0/24 dev tun0  scope link

192.168.20.0/24 dev tun1  scope link

192.168.42.0/24 dev tun1  scope link

192.168.51.0/24 via 89.244.135.82 dev br0

192.168.52.0/24 via 89.244.135.82 dev br0

192.168.53.0/24 via 89.244.135.82 dev br0

192.168.113.0/24 via 192.168.1.113 dev lan

192.168.254.0/24 dev wlan  scope link

193.XXX.6.130 dev br0  scope link

193.XXX.12.0/24 dev br0  scope link

193.XXX.13.0/24 dev br0  scope link

193.XXX.14.0/24 dev br0  scope link

195.XXX.161.250 dev br0  scope link

212.XXX.12.0/24 dev br0  scope link

213.XXX.33.0/24 dev br0  scope link

213.XXX.140.0/27 dev br0  scope link

213.XXX.141.96/27 dev br0  scope link

213.XXX.143.128/26 dev br0  scope link

 

table main

host ~ # ip route show table main

default via 89.XXX.XXX.3 dev br0

87.186.224.XX dev ppp0  proto kernel  scope link  src 79.194.124.XXX

89.XXX.XXX.0/24 dev br0  proto kernel  scope link  src 89.XXX.XXX.4

127.0.0.0/8 via 127.0.0.1 dev lo

134.44.XXX.0/24 dev lan  proto kernel  scope link  src 134.44.XXX.102

192.168.1.0/24 dev lan  proto kernel  scope link  src 192.168.1.110

192.168.2.0/24 dev mgm  proto kernel  scope link  src 192.168.2.254

192.168.7.0/24 dev tun0  scope link

192.168.9.0/24 dev tun0  proto kernel  scope link  src 192.168.9.1

192.168.20.0/24 dev tun1  scope link

192.168.42.0/24 dev tun1  proto kernel  scope link  src 192.168.42.1

192.168.254.0/24 dev wlan  proto kernel  scope link  src 192.168.254.254

213.XXX.140.0/27 dev br0  proto kernel  scope link  src 213.XXX.140.2

213.XXX.141.96/27 dev br0  proto kernel  scope link  src 213.XXX.141.126

213.XXX.143.128/26 dev br0  proto kernel  scope link  src 213.XXX.143.132

 

host ~ # ip route show table default

host ~ #

 

 

Von: Pandu Poluan [mailto:pandu@poluan.info] 
Gesendet: Mittwoch, 4. Januar 2012 18:56
An: gentoo-user@lists.gentoo.org
Betreff: Re: [gentoo-user] ARP-Caching of non-link-local adresses

 


On Jan 4, 2012 11:20 PM, "Peter Pan" <osaka@gmx.net> wrote:
>
> Hi list,
>

----- >8 snip

Can you post the output of "ip rule sh"?

And for every table listed in the above, post the output of "ip route sh table $TABLENAME"?

Rgds,


[-- Attachment #2: Type: text/html, Size: 33460 bytes --]