# Traffic on a bridge I did not expect/understand



## Bilbo (Nov 27, 2011)

Hi there,

I have made myself the following setup:

vr0 - bridge0 - vr1 (untagged traffic).
vr0_vlan6 - vr1_vl3 (tagged traffic).

vr0 and vr1 do not have an IP configuration but the network which goes over that bridge should be 10.0.0.0/16.
vr0_vlan6 is 10.6.0.1/16 and is the gateway for 10.6.0.0/16.
vr1_vlan3 is 192.168.3.6/24 and has a gateway 192.168.3.1/24 which is an interface on a router on the other end of a point 2 point connection.

Traffic:

10.0.0.0/16 is our management network in which devices like switches and APs have their management interface.
10.6.0.0/16 is a location LAN.
192.168.3.0/24 is a distribution network to make a distribution and access layer.

on vr0 and vr1 I have made rules to only allow traffic from and to 10.0.0.0/16.

But when we monitored the traffic we noticed much more traffic on the interfaces than we expected. To our surprise a tcpdump of the interfaces bridge0, vr0 or vr1 shows ARP traffic which should be kept within vlan6. Like:


```
13:31:59.118855 ARP, Request who-has 10.6.0.12 tell 10.6.4.13, length 46
13:31:59.126889 ARP, Request who-has 10.6.0.12 tell 10.6.4.151, length 46
13:31:59.157631 ARP, Request who-has 10.6.0.12 tell 10.6.4.82, length 46
13:31:59.189747 ARP, Request who-has 10.6.0.12 tell 10.6.4.16, length 46
13:31:59.190796 ARP, Request who-has 10.6.0.12 tell 10.6.4.15, length 46
13:31:59.197579 ARP, Request who-has 10.6.0.12 tell 10.6.4.61, length 46
```
I do not understand that traffic. Most likely a lack of knowledge.. Could anyone of you explain this?

Peter

PS
In reality the setup is a bit more complex. In reality I have 3 bridges and 4 distributed networks. Left them out for sake of simplicity.
PPS
The setup was made using a pfSense box. The question is also on their forum there is no reply.
PPPS
I know I should not bridge a connection over a leased line. I will problably solve that in the near future. Started to explain why, but that is an essay on its own.


----------



## Bilbo (Nov 28, 2011)

I know it hasn't been that long since I posted... but I feel like I'm not giving you guys the info you need. At the moment I'm at work again and have full access... if you need me to do any diagnostics... please ask.


----------



## J65nko (Nov 28, 2011)

You could run *tcpdump* with the *-e* option to see/show the MAC addresses. This makes it easier to understand the ARP traffic. The output of *arp -an* and the *ifconfig output* would be helpful too.

BTW a simple network diagram usually makes it easier for others to respond


----------



## Bilbo (Nov 29, 2011)

Lol... simple as in SNMP 
But your remark about MAC adresses hit the spot... it helped me understand.
Wil work on some better documentation tonight and tomorrow (when there is traffic to be monitored)

Peter


----------

