Routing with APIPA adress
-
Hi,
I have seen a few topics here with regards to APIPA routing and that this is something you should not do.
However I have a device here which is addressed (manually) to 169.254.0.1 and it is not possible to change this. I have tried several times to explain that to the vendor but no chance so I have to find a way to solve by myself. Hopefully someone can help me here as my network knowledge is not the best.The setup is on a SG-2100:
I have ticked the APIPA Support in the advanced settings.The WAN Interface is set to 169.254.100.100/16. The Device with adress 169.254.0.1 is connetced to the interface.
The Lan interface is a private network: 192.168.8.1/24.FW Rules are setup to reach the client from the LAN-Network and vice versa
The FW can ping both WAN and LAN interfaces, the APIPA Device and also the other clients on the private Network.
However what is not working is to ping one of the clients in the LAN Network from the APIPA device.
APIPA Device (169.254.0.1) ---> PING ---> WAN Interface (169.254.100.100) : working
APIPA Device (169.254.0.1) ---> PING ---> LAN Interface (192.168.8.1) : working
APIPA Device (169.254.0.1) ---> PING ---> Client in the LAN Interface (192.168.8.101) : not workingAny idea how to solve this? I know it is a mess :-(
Thanks in advance
S
-
@s25a Client firewall? Do a packet capture on the LAN interface and see if the pings are getting through. If they are, it's a client issue.
-
Hi Kom,
thanks a lot for your quick reply :-)
21:59:22.053248 IP 169.254.0.1 > 192.168.8.101: ICMP echo request, id 1, seq 7902, length 40
21:59:27.056078 IP 169.254.0.1 > 192.168.8.101: ICMP echo request, id 1, seq 7903, length 40That's the output.
The client can be pinged. (There are several devices in the LAN net and I can ping any to any..)
Thanks S
-
From RFC 3927
Router Considerations
"A router MUST NOT forward a packet with an IPv4 Link-Local source or
destination address, irrespective of the router's default route
configuration or routes obtained from dynamic routing protocols.A router which receives a packet with an IPv4 Link-Local source or
destination address MUST NOT forward the packet. This prevents
forwarding of packets back onto the network segment from which they
originated, or to any other segment."So, any router that complies with RFC 3927 will not route those addresses.
-
@jknott
Yes I know that it is against this RFC 3927 recommendation. And I am really unhappy with the situation.So is there really no chance to get this to work? If not, ok I have to accept and throw the device away. If yes would be happy if someone have an idea.
Does anybody know why PFSENSE have this APIPA Support if it will not work in the end? Or did I misunderstand the option?
Thanks S
-
Have you considered a static arp, which assigns an IP address to a MAC address? You could use any address you want and just ignore that APIPA address. You'd do that on any computer you want to communicate with that device. That's easy enough if you just want to use one computer to connect. The static arp in pfsense doesn't seem to be the same as the one you'd do from FreeBSD. You can use the arp -s command to assign an IP address to the MAC address. If you did that on a subnet used only by that device it could be routed to through pfsense.
From the FreeBSD arp man page:
" -s hostname ether_addr
Create an ARP entry for the host called hostname with the Ether-
net address ether_addr. The Ethernet address is given as six hex
bytes separated by colons. The entry will be permanent unless
the word temp is given in the command. If the word pub is given,
the entry will be "published"; i.e., this system will act as an
ARP server, responding to requests for hostname even though the
host address is not its own. In this case the ether_addr can be
given as auto in which case the interfaces on this host will be
examined, and if one of them is found to occupy the same subnet,
its Ethernet address will be used."The pub option looks interesting. If it does what I think, you could put that device in the same subnet.
-
One other thing, you'll want to put that command in a script that runs on boot up, otherwise it will be forgotten. I'm not familiar enough with FreeBSD, so perhaps someone else can advise the best way to do that.
-
Thanks a lot for your help :-)
I have never used ARP before and I am not sure how this works. I have to read about to learn.
But before doing this: As far as I understood from some other posts pfsense integrated support for APIPA adresses. I have installed release 21.02 on my netgate device and have an option to activate support for APIPA. So from my understanding it should work with the routing. I mean it does..at least forwards the packages from the WAN Interface to the LAN Interface. The only thing that does not work than is that it does not forward to the LAN Network.Maybe I just forgot to tick something or just as another idea i read something about Ountbound rules. Maybe there's something I could do.
If that does not work the idea with the static ARP could be a solution.
What I forgot to mention before: I used an OPENWRT Router before I bought the SG-2100. With that device it was possible to route the packages. However there was an option called "masquerade" I had to tick. Otherwise it was not routing.
Thanks S
-
-
Yes, pfSense will not route APIPA traffic. The option that is available is to allow it pass the firewall, it is otherwise blocked by default. That enables you to ping to/from the device on the WAN directly or to route other subnets across an APIPA transport link etc.
What is this appliance? Maybe someone else has faced this problem and worked past it.Steve
-
@s25a said in Routing with APIPA adress:
However I have a device here which is addressed (manually) to 169.254.0.1
What device is this is a good question. Any device that would only use such an address - I would assume the makers of the device only it to be used from the same L2 network
-
Also, according to the RFC, those addresses are not to be pre-configured. They are supposed to use the automatic method.
