Subject: arp not visible on the expected side of bridge
To: None <netbsd-users@netbsd.org>
From: Joel CARNAT <joel@carnat.net>
List: netbsd-users
Date: 02/09/2005 16:59:39
Hi,

I have set a bridge/firewall which has an IP on one side (so I can SSH and SNMP
on it). Here's what it looks like :

(INTERNET)--(FAI router)--(my FW/Bridge)--(some servers)

the FW has 2 interfaces : bge0 is "x.x.x.x up" (public IP), bge1 is "up" (no IP)
the bridge is bridge0 : add bge0 add bge1
default route is FAI router's IP.
both FAI router, FW and server have public IP on the same range.

I use the FW to make sure the wild wild web don't do things I don't want
on my servers (aka, try SMTP on web servers, ...) and to make some
servers access the Web (for DNS, WWW, FTP, ...)

Everything is quite good (each sides talks to the other), but...
When I use the arp command, I see all MAC address on the bge0 interface
(although all my server are plugged on bge1). This would not bother me
expect I can go from FW to server through bge1 without allowing traffic
out through bge0... This sounds mad to me... So questions :)

- Is it expectable to see MAC addresses of the interface with IP ?
- Can I force the system use bge1 for my servers ? I tried forcing arp
  (pub, permanent, ...) and "route ... -interface" but didn't succeed.
- I use pf to do the filtering (because I'm used to it :) - is there a
  pf trick to force traffic through an interface (route-to doesn't seem
  the right thing here as I understood it...) ?

TIA,
	Jo
-- 
,-- This mail runs ---------.
`------------ NetBSD/i386 --'