Bridging wrong and arp: moved from MAC to 2ndMAC messages
-
I don't think I'm bridging this right. I have a subnetted block of 8 IP addresses that are externally routable. My ISP is setting up my WAN facing interface with DHCP on an IP not in my subnet, but they are routing the IP in my subnet to that interface.
I have an IP Alias set on the WAN interface to listen to the first available IP in the subnet block (.177). On the PFSense box, I have 3 other network cards, 172.16.1.0 is my upstairs, 172.16.2.0 is my downstairs renters, and a third interface that I've connected directly to my DMZ box. I have this interface currently configured for 166.70.93.178.
I have a DMZ webserver on 161.100.100.179 (the third available IP address in the publically routable block my ISP gave me).
I have bridged the WAN interface and the DMZ interface on the PFSense together, and this mostly works.
I have the pfsense routing like this:
Internet: Destination Gateway Flags Refs Use Netif Expire default 68.77.88.1 UGS 0 56179582 dc0 68.77.88.0/24 link#2 U 0 6098730 dc0 68.77.88.118 link#2 UHS 0 37392 lo0 127.0.0.1 link#7 UH 0 3025 lo0 161.100.100.176/29 link#2 U 0 20407 dc0 161.100.100.177 link#2 UHS 0 0 lo0 161.100.100.178 link#3 UHS 0 0 lo0
On the DMZ machine though, I'm getting errors that 161.100.100.177 (the WAN facing IP) is changing MAC addresses, flapping back and forth between the MAC address of the WAN interface (link #2) and the MAC address of the DMZ interface (link #3).
From logs on DMZ server:
Oct 15 12:45:49 test kernel: arp: 161.100.100.177 moved from 00:11:22:dd:22:33 to 00:dd:bb:11:cc:02 on fxp0 Oct 15 12:45:51 test kernel: arp: 161.100.100.177 moved from 00:dd:bb:11:cc:02 to 00:11:22:dd:22:33 on fxp0
The DMZ server is setup to route like this:
Internet: Destination Gateway Flags Refs Use Netif Expire default 161.100.100.177 UGS 59 8827997 fxp0 127.0.0.1 link#6 UH 0 1384387 lo0 161.100.100.176/29 link#2 U 0 143 fxp0 161.100.100.179 link#2 UHS 0 259715 lo0
I'm getting periodic connection issues to from the internal networks, and I believe it is because the MAC address is likely swapping on the PFSense due to my configuration.
I'm just hoping someone can instruct me on the best way to set this up? I've attached a diagram.
-
If that block is really routed to you, you do not need to bridge. You would only need to bridge if the ISP has a gateway IP inside of your subnet.
Even so, with a bridge you only put an IP on one of the interfaces. Never put an IP on two different interfaces inside of the same subnet. Either remove the IP alias from WAN, or set the IP address on DMZ to "none".
Though as I mentioned before, if it's really routed to you, destroy the bridge, you don't need it. Then remove the IP alias from WAN and leave that subnet only configured on DMZ. You might need to reboot to make sure the routing/arp is all cleared up after having it misconfigured in that way.
-
Thanks Jimp, this seems to have worked. I did as you said:
1. Removed the IP Alias from the WAN
2. Removed the bridge
3. Set up the DMZ side of the PFSense iface card to accept on the subnet.Thanks so much.