1

I have a setup that have worked for years with a fiber to a NAT router to clients. Clients are typically cheap NAT routers of any kind.

Setup like this

Fiber from ISP
 |
Router, pfsense
-WAN - x.x.x.x /29 (public IP)
-LAN - 10.0.0.1 /21
  |
Switches (with port-security to clients cannot "see" each other)
  |
Clients (typically local Wifi Routers)
-behind each client is typically a 192.168.0.1 /24
-some clients are in bridge mode forward main routers 10.0.0.x IP's

The issue is that more and more clients are Apple routers (Time Capsule and Airport Express) that report "double NAT" and set it self up in Bridge mode.

Unfortunately this "bridge mode" gives quite a few issues since DHCP offers are not forwarded very well through the Apple routers in Bridge mode.... so client side equipment (only behind some routers in bridge mode) start to steal IP's from each other

In the log there seems to be a conflict between clients for the same IP's

12:37:34 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
12:37:13 kernel: arp: 10.24.1.142 moved from MAC:2 to MAC:1 on igb1
12:35:44 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
12:35:43 kernel: arp: 10.24.1.142 moved from MAC:2 to MAC:1 on igb1
12:35:30 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
12:28:13 kernel: arp: 10.24.1.142 moved from MAC:2 to MAC:1 on igb1
12:27:45 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
12:26:43 kernel: arp: 10.24.1.142 moved from MAC:2 to MAC:1 on igb1
12:25:40 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1

Where do I go wrong with this setup?

  1. Change main router setup?
  2. Force clients to diable "bridge mode" by only allowing a single IP/MAC pr. clients (per switch port)
Tillebeck
  • 511
  • 1
  • 4
  • 19
  • Are you using a VLAN here to restrict the switch ports to the clients? Otherwise they can see each other. – htm11h Jul 29 '15 at 13:38
  • I set all ports as "protected-port" except upload port. That way no one can see each other but can communicate upstream and eventually with the main router – Tillebeck Jul 29 '15 at 14:44
  • But that does not stop DHCP. – htm11h Jul 29 '15 at 14:50
  • Sorry, I may have misunderstood. What do you mean with stop DHCP? With protected-port one client cannot offer DHCP to other clients (stop DHCP between clients). Only the main router can offer DHCP to all client due to the setup with protected-ports http://serverfault.com/questions/539077/hp-procurve-2512-2524-protected-port-source-port-filter-or-similar. – Tillebeck Jul 29 '15 at 16:53
  • Are these clients plugged in with cable and trying to connect with wi-fi? – htm11h Apr 06 '16 at 14:09

1 Answers1

0

It is your switches that are not protecting ports from one to the other....

From Cisco...

The PVLAN edge (protected port) is a feature that has only local significance to the switch (unlike Private Vlans), and there is no isolation provided between two protected ports located on different switches. A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port in the same switch. Traffic cannot be forwarded between protected ports at L2, all traffic passing between protected ports must be forwarded through a Layer 3 (L3) device.

source

htm11h
  • 170
  • 11
  • No this is not it. It is more complicated than that. There is some devices that take any IP that is offered to other users. Also IP's that ment for one specific MAC and lay outside the normal DHCP-range. Each time such a "pirate client" is found behind a router in bridge mode. Or an access point. Either there is some faulty end user equipment after the bridge/AP or the bridge/AP cannot forward the DHCP offer the right way – Tillebeck Jul 29 '15 at 17:00
  • Based on your other link, I don't believe your switches will support the configuration you are running. Do you know which switches are L2 and which are L3? You should convert to VLANS, which can do what you are trying to do and are much easier to manage. – htm11h Jul 29 '15 at 18:24
  • If you are saying that some MACs have dedicated IP addresses, then those IPs should be outside of the scope that the DHCP can offer. This is a DHCP configuration issue. – htm11h Jul 29 '15 at 18:29