# vlan and staticarp



## blackjack (Nov 18, 2008)

Hi all.
I am using FreeBSD as gate to internet.

```
FreeBSD router.local.net.ua 7.0-RELEASE FreeBSD 7.0-RELEASE #1: Fri Jun 13 17:26:05 EEST 2008     admin@router.local.net.ua:/usr/src/sys/i386/compile/GATE  i386
```
I have a 10 VLAN  and two NIC 

```
ifconfig
```


```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.21.124 netmask 0xffffff00 broadcast 172.16.21.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:1d:0f:bd:8f:7b
	inet 81.21.xx.xx1 netmask 0xfffffff8 broadcast 81.21.xx.xxx
	inet 81.21.xx.xx2 netmask 0xfffffff8 broadcast 81.21.xx.xxx
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vlan11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.24.124 netmask 0xffffff00 broadcast 172.16.24.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 11 parent interface: em0
vlan22: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.22.124 netmask 0xffffff00 broadcast 172.16.22.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 22 parent interface: em0
vlan23: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.23.124 netmask 0xffffff00 broadcast 172.16.23.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 23 parent interface: em0
vlan25: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.25.124 netmask 0xffffff00 broadcast 172.16.25.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 25 parent interface: em0
vlan26: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.26.124 netmask 0xffffff00 broadcast 172.16.26.255
	inet 192.168.101.100 netmask 0xffffff00 broadcast 192.168.101.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 26 parent interface: em0
vlan30: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.30.124 netmask 0xffffff00 broadcast 172.16.30.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 30 parent interface: em0
vlan31: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.31.124 netmask 0xffffff00 broadcast 172.16.31.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 31 parent interface: em0
vlan32: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.32.124 netmask 0xffffff00 broadcast 172.16.32.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 32 parent interface: em0
vlan33: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.33.124 netmask 0xffffff00 broadcast 172.16.33.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 33 parent interface: em0
vlan40: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.40.124 netmask 0xffffff00 broadcast 172.16.40.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 40 parent interface: em0
vlan100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.100.124 netmask 0xffffff00 broadcast 172.16.100.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 100 parent interface: em0
```

I create file /etc/staticarp/static.mac with IP adderss and mac address of local clients like this:

```
172.16.100.30 00:1d:0f:c4:10:ad pub
```
then set IP-MAC

```
arp -f /etc/staticarp/static.mac
```
Then i did

```
ifconfig vlan100 staticarp
```


```
vlan100: flags=88843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,STATICARP> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:07:e9:0a:a4:73
	inet 172.16.100.124 netmask 0xffffff00 broadcast 172.16.100.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 100 parent interface: em0
```

And this work some time (1 hour or 2) but then all vlan stop work and ping looks like this

```
ping 172.16.100.52
```


```
ping: sendto: invalid argument
```


```
netstat -rn
```


```
172.16.100.1    link#34            UHLW          0        0 vlan100
....
172.16.100.254    link#34            UHLW          0        0 vlan100
```
I need to use this because in local network somebody arp spoof or it is a virus. 
This is the log when spoofing is active.
	
	



```
Sep 19 19:37:29 router kernel: arp: 172.16.24.155 moved from 00:0f:ea:3b:34:91 to 00:0f:ea:f6:c3:de on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.183 moved from 00:0f:ea:3b:34:91 to 00:11:5b:7a:85:c5 on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.192 moved from 00:0f:ea:3b:34:91 to 00:02:2a:e1:e8:bf on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.218 moved from 00:0f:ea:3b:34:91 to 00:19:e0:13:cb:ee on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.220 moved from 00:0f:ea:3b:34:91 to 00:14:2a:84:be:94 on vlan11
Sep 19 19:37:29 router kernel: arp: 172.16.24.231 moved from 00:0f:ea:3b:34:91 to 00:0f:ea:c1:7e:41 on vlan11
```
Why this does not work? Why disappear route to hosts in vlan? Why arp table refresh when interface cofigured to use static record IP-MAC?
This is my topics
http://forum.lissyara.su/viewtopic.php?f=8&t=11136&p=110421&hilit=Борьба#p99856
http://www.opennet.ru/openforum/vsluhforumID1/82574.html
PS. Sorry for bad english.


----------



## SirDice (Nov 18, 2008)

> I need to use this because in local network somebody arp spoof or it is a virus.


Maybe you should fix the problem instead of the symptoms?


----------



## blackjack (Nov 18, 2008)

It is impossible. In local network 854 clients. I can`t go to every client and control his computer.


----------



## SirDice (Nov 18, 2008)

blackjack said:
			
		

> It is impossible. In local network 854 clients. I can`t go to every client and control his computer.



Not impossible.. We have 60.000 workstations.. It takes a bit of networking-fu to trace it through all the routers and switches. But in the end you'll know the switch and the port. After that it's just a matter of following the cable


----------



## tbyte (Nov 18, 2008)

But there is still a problem, the thing he is doing should work.


----------



## blackjack (Nov 19, 2008)

Its my configs.


----------



## Alt (Nov 19, 2008)

> I create file /etc/staticarp/static.mac with IP adderss and mac address of local clients like this:
> Code:
> 
> 172.16.100.30 00:1d:0f:c4:10:ad pub


Try records without "pub":
172.16.100.30 00:1d:0f:c4:10:ad
This option dont worked for me when i used same technique.


----------



## blackjack (Nov 20, 2008)

No, it doesn`t work.


----------



## Alt (Nov 20, 2008)

man arp


> If the word pub is given,
> the entry will be ``published''; i.e., this system
> will act as an
> ARP server, responding to requests for hostname even though the
> host address is not its own.


Ð¢Ð¾ÐµÑÑ‚ÑŒ Ð¿Ñ€Ð¸ Ð¸ÑÐ¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ð¸ Ð¿Ð°Ñ€Ð°Ð¼ÐµÑ‚Ñ€Ð° pub ÑˆÐ»ÑŽÐ· Ð½Ð°Ñ‡Ð¸Ð½Ð°ÐµÑ‚ Ð¾Ñ‚Ð²ÐµÑ‡Ð°Ñ‚ÑŒ *Ð²Ð¼ÐµÑÑ‚Ð¾* Ð´Ð°Ð½Ð½Ð¾Ð³Ð¾ Ð°Ð¹Ð¿Ð¸ÑˆÐ½Ð¸ÐºÐ°. ÐžÑ‚ÑÑŽÐ´Ð° Ð¸ Ð¸Ð·Ð¼ÐµÐ½ÐµÐ¸Ñ Ð°Ð´Ñ€ÐµÑÐ¾Ð². Ð£ Ð¼ÐµÐ½Ñ Ð±Ñ‹Ð»Ð¾ Ñ‡Ñ‚Ð¾ Ð¿Ñ€Ð¸ Ð¸ÑÐ¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ð¸ ÐµÐµ Ð½Ð°Ñ‡Ð¸Ð½Ð°Ð»Ð¸ÑÑŒ ÐºÐ¾Ð½Ñ„Ð»Ð¸ÐºÑ‚Ñ‹ Ñƒ Ð°Ð±Ð¾Ð½ÐµÐ½Ñ‚Ð¾Ð².. Ð’Ð¾Ð±Ñ‰ÐµÐ¼ Ñ‚Ð¾ Ñ‡Ñ‚Ð¾ Ñ‚Ñ‹ Ñ…Ð¾Ñ‡ÐµÑˆÑŒ, Ñ pub Ð½ÐµÑ€Ð°Ð±Ð¾Ñ‚Ð°ÐµÑ‚=) Ð Ð²Ð¾Ð¾Ð±Ñ‰Ðµ, Ñ Ñ‚Ð°Ðº Ð´ÐµÐ»Ð°Ð»(Ð±ÐµÐ· Ð¿ÑƒÐ±Ð°) Ð¸ Ð´Ð¾Ð»Ð¶Ð½Ð¾ Ñ€Ð°Ð±Ð¾Ñ‚Ð°Ñ‚ÑŒ....
ÐœÐ¾Ð¶ÐµÑ‚ Ñƒ Ñ‚ÐµÐ±Ñ Ð¿Ð¾ ÐºÑ€Ð¾Ð½Ñƒ Ð¸Ð½Ñ‚ÐµÑ€Ñ„ÐµÐ¹ÑÑ‹ Ð¿ÐµÑ€ÐµÑÐ¾Ð·Ð´Ð°ÑŽÑ‚ÑÑ Ð¸Ð»Ð¸ Ñ€ÐµÑÑ‚Ð°Ñ€Ñ‚ÑÑ‚ÑÑ ÐºÐ°ÐºÑ‚Ð¾?


----------



## blackjack (Nov 20, 2008)

ÐÑƒ Ð¿Ð¾Ð¿Ñ€Ð¾Ð±ÑƒÑŽ ÐµÑ‰Ðµ Ñ€Ð°Ð·. ÐŸÑƒÑÑ‚ÑŒ Ñ‚Ð°Ðº Ð¸ Ð±ÑƒÐ´ÐµÑ‚. Ð•ÑÐ»Ð¸ Ð½Ðµ Ð±ÑƒÐ´ÐµÑ‚ Ñ€Ð°Ð±Ð¾Ñ‚Ð°Ñ‚ÑŒ, Ð·Ð½Ð°Ñ‡Ð¸Ñ‚ Ñƒ Ð¼ÐµÐ½Ñ ÐºÐ°Ñ€Ð¼Ð° Ð¿Ð»Ð¾Ñ…Ð°Ñ


----------



## blackjack (Nov 24, 2008)

Any suggestion?


----------



## bsdfunn (Jan 27, 2009)

ipguard - tool designed to protect LAN IP adress space by ARP spoofing. 

ipguard listens network for ARP packets. All permitted MAC/IP pairs listed in 'ethers' file. If it recieves one with MAC/IP pair, which is not listed in 'ethers' file, it will send ARP reply with configured fake address. This will prevent not permitted host to work properly in this ethernet segment.


http://ipguard.deep.perm.ru/


----------



## blackjack (Jan 27, 2009)

Thank you. I will try it.


----------

