Firewall/NAT

Hi,

I have in my soekris net55xx this type of logs:
Dec 5 09:26:21   kernel: arp: 192.168.5.133 is on sis0 but got reply from 00:21:4a:10:ef:b2 on vr3
What does that mean?

Thx

Most likely suspect is a machine belonging to one network has been plugged into another network's switch, hub, or router port.

Hi, thx for your help,

Something strange:

        kernel: arp: 192.168.0.249 is on vr0 but got reply from 00:21:19:96:d7:90 on vr3
   kernel: arp: 192.168.0.249 is on vr0 but got reply from 00:21:19:96:d7:90 on sis0
   kernel: arp: 192.168.0.249 is on vr0 but got reply from 00:21:19:96:d7:90 on vr2
   kernel: arp: 192.168.0.249 is on vr0 but got reply from 00:21:19:96:d7:90 on vr1

vr3 -> email subnet
sis0 -> peer subnet
vr2 -> dmz subnet
vr1 -> wan subnet

The pc 192.168.0.249 has as mac address 00:21:19:96:d7:90 so it is the same pc ...
I am lost, could you please help ?

My config:

One fw (no static routes) soekris net 55xx with 5 NIC -> connected to a manageable switch (only using the default vlan)

Thx

What are the IP addresses and subnet masks being used for all the interfaces?

Lan: 192.168.0.11/24
Wan -> DHCP
Email: 192.168.3.11/24
Dmz: 192.168.1.11/24
Peer: 192.168.2.11/24

Thx for your help

Can you provide the interface names and their addressees/netmasks?

Do you mean this :

LAN        vr0
WAN        vr1
COURRIEL  vr3   
DMZ        vr2
PEER   sis0

Yes. Is this correct?

vr0 192.168.0.11/24

sis0 192.168.2.11/24

vr2 192.168.1.11/24

vr1 w.x.y.z

Are there any switches or VLANS in use?

What is the netmask used on machine with IP 192.168.0.249?

Yes this is correct.

The Soekris, as I said previously, is connected to a manageable switch, using the default vlan ... No vlans and static routes in use in the Soekris config.

The netmask for this pc is: 255.255.255.0

Thx

Not much more I can do for you. I suspect that the VLAN or managed switch is causing collisions somehow.

Have you verified that you do not have more than one machine with IP address 192.168.0.249 anywhere else?

In your first post these messages were about 192.168.5.133, then it changed to 192.168.0.249. What's that all about?

The 5.133 was a fake ip

The 0.249 is a NAS, I just check the network config, seems to be ok.
It is only pc(s) in my LAN who are doing this type of strange traffic ... All other subnet (dmz, peer ...) don't do it ...

Example:

Personal Windows 7 pc:

Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on sis0
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr2
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr1
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr3
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on sis0
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr2
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr1
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr3
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on sis0
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr2
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr1
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr3
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on sis0
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr2
Dec 5 20:39:23   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr1
Dec 5 20:38:21   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr3
Dec 5 20:38:21   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on sis0
Dec 5 20:38:21   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr2
Dec 5 20:38:21   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr1
Dec 5 20:36:46   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr3
Dec 5 20:36:46   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on sis0
Dec 5 20:36:46   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr2
Dec 5 20:36:46   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr1
Dec 5 20:32:07   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr3
Dec 5 20:32:07   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on sis0
Dec 5 20:32:07   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr2
Dec 5 20:32:07   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr1
Dec 5 20:31:45   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr3
Dec 5 20:31:45   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on sis0
Dec 5 20:31:45   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr2
Dec 5 20:31:45   kernel: arp: 192.168.0.112 is on vr0 but got reply from 14:da:e9:1d:14:ad on vr1

I will check the switch tomorrow.

Thx for your help