I have a setup that have worked for years with a fiber to a NAT router to clients. Clients are typically cheap NAT routers of any kind.
Setup like this
Fiber from ISP
|
Router, pfsense
-WAN - x.x.x.x /29 (public IP)
-LAN - 10.0.0.1 /21
|
Switches (with port-security to clients cannot "see" each other)
|
Clients (typically local Wifi Routers)
-behind each client is typically a 192.168.0.1 /24
-some clients are in bridge mode forward main routers 10.0.0.x IP's
The issue is that more and more clients are Apple routers (Time Capsule and Airport Express) that report "double NAT" and set it self up in Bridge mode.
Unfortunately this "bridge mode" gives quite a few issues since DHCP offers are not forwarded very well through the Apple routers in Bridge mode.... so client side equipment (only behind some routers in bridge mode) start to steal IP's from each other
In the log there seems to be a conflict between clients for the same IP's
12:37:34 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
12:37:13 kernel: arp: 10.24.1.142 moved from MAC:2 to MAC:1 on igb1
12:35:44 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
12:35:43 kernel: arp: 10.24.1.142 moved from MAC:2 to MAC:1 on igb1
12:35:30 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
12:28:13 kernel: arp: 10.24.1.142 moved from MAC:2 to MAC:1 on igb1
12:27:45 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
12:26:43 kernel: arp: 10.24.1.142 moved from MAC:2 to MAC:1 on igb1
12:25:40 kernel: arp: 10.24.1.142 moved from MAC:1 to MAC:2 on igb1
Where do I go wrong with this setup?
- Change main router setup?
- Force clients to diable "bridge mode" by only allowing a single IP/MAC pr. clients (per switch port)