[ previous ] [ next ] [ threads ]
 
 From:  "Molle Bestefich" <molle dot bestefich at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Problem Report: <spoofmac> and VLANs does not interplay.
 Date:  Thu, 8 Jun 2006 16:16:19 +0200
Hi

Where's the proper place to submit m0n0wall bug reports?


Problem:
========
A custom MAC address can be specified for any interface, which is very
practical in some situations.
For example, the m0n0wall kernel does not find the right MAC address
for my NICs, instead making up bogus broadcast addresses.

When you create a VLAN interface, a tag is applied to outgoing packets
and stripped from incoming packets on the physical interface that is
the selected parent interface, thus making up the VLAN interface.  But
the packets must still arrive at the parent interface.

This does not happen when specifying custom MAC addresses with
<spoofmac>.  The VLAN interface gets the original MAC address of the
physical interface which the m0n0wall kernel found, instead of the
correct custom MAC address.

That causes ARP requests for the firewall's address(es) within the
VLAN to deliver the wrong MAC address, thus effectively disabling all
communication with the firewall over the VLAN.


Solution:
=========
If the parent interface of a VLAN has a <spoofmac> address, assign the
same <spoofmac> address when the VLAN interface is created.

(By "created", I do not mean "created in the GUI" but "created using
whatever VLAN tools BSD use".)


Workaround:
===========
Every time you create a VLAN or change the parent interface's MAC
address, download the config.xml file and adjust every VLAN to have
the same <spoofmac> as their parent interface.  Then upload the file
again and reboot the firewall.