Bridging wrong and arp: moved from MAC to 2ndMAC messages

esogas

I don't think I'm bridging this right. I have a subnetted block of 8 IP addresses that are externally routable. My ISP is setting up my WAN facing interface with DHCP on an IP not in my subnet, but they are routing the IP in my subnet to that interface.

I have an IP Alias set on the WAN interface to listen to the first available IP in the subnet block (.177). On the PFSense box, I have 3 other network cards, 172.16.1.0 is my upstairs, 172.16.2.0 is my downstairs renters, and a third interface that I've connected directly to my DMZ box. I have this interface currently configured for 166.70.93.178.

I have a DMZ webserver on 161.100.100.179 (the third available IP address in the publically routable block my ISP gave me).

I have bridged the WAN interface and the DMZ interface on the PFSense together, and this mostly works.

I have the pfsense routing like this:


Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            68.77.88.1         UGS         0 56179582    dc0
68.77.88.0/24      link#2             U           0  6098730    dc0
68.77.88.118       link#2             UHS         0    37392    lo0
127.0.0.1          link#7             UH          0     3025    lo0
161.100.100.176/29 link#2             U           0    20407    dc0
161.100.100.177    link#2             UHS         0        0    lo0
161.100.100.178    link#3             UHS         0        0    lo0

On the DMZ machine though, I'm getting errors that 161.100.100.177 (the WAN facing IP) is changing MAC addresses, flapping back and forth between the MAC address of the WAN interface (link #2) and the MAC address of the DMZ interface (link #3).

From logs on DMZ server:


Oct 15 12:45:49 test kernel: arp: 161.100.100.177 moved from 00:11:22:dd:22:33 to 00:dd:bb:11:cc:02 on fxp0
Oct 15 12:45:51 test kernel: arp: 161.100.100.177 moved from 00:dd:bb:11:cc:02 to 00:11:22:dd:22:33 on fxp0

The DMZ server is setup to route like this:


Internet:
Destination                Gateway                Flags    Refs      Use      Netif     Expire
default                    161.100.100.177        UGS      59      8827997    fxp0
127.0.0.1                  link#6                 UH        0      1384387    lo0
161.100.100.176/29         link#2                 U         0          143    fxp0
161.100.100.179            link#2                 UHS       0       259715    lo0

I'm getting periodic connection issues to from the internal networks, and I believe it is because the MAC address is likely swapping on the PFSense due to my configuration.

I'm just hoping someone can instruct me on the best way to set this up? I've attached a diagram.

my_network.png_thumb

jimp

If that block is really routed to you, you do not need to bridge. You would only need to bridge if the ISP has a gateway IP inside of your subnet.

Even so, with a bridge you only put an IP on one of the interfaces. Never put an IP on two different interfaces inside of the same subnet. Either remove the IP alias from WAN, or set the IP address on DMZ to "none".

Though as I mentioned before, if it's really routed to you, destroy the bridge, you don't need it. Then remove the IP alias from WAN and leave that subnet only configured on DMZ. You might need to reboot to make sure the routing/arp is all cleared up after having it misconfigured in that way.

esogas

Thanks Jimp, this seems to have worked. I did as you said:

1. Removed the IP Alias from the WAN
2. Removed the bridge
3. Set up the DMZ side of the PFSense iface card to accept on the subnet.

Thanks so much.