In meinem Heimnetzwerk habe ich einen Router mit Linux, bei dem mehrere VLANs auf dieselbe physische Schnittstelle zugreifen. So sieht es auf dem Router aus:
➜ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: wan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 7c:83:34:be:b0:9b brd ff:ff:ff:ff:ff:ff
altname enp1s0
inet 80.x.x.x/20 metric 1024 brd x.x.x.255 scope global dynamic wan0
valid_lft 67664sec preferred_lft 67664sec
inet6 x:x:x:7000:1a86:1082:f9e:41bf/64 scope global temporary dynamic
valid_lft 82400sec preferred_lft 22122sec
inet6 x:x:x:a839:e160:a5b4:8601:7da8/64 scope global temporary dynamic
valid_lft 85823sec preferred_lft 3023sec
inet6 x:x:x:7000:8916:b7a2:bfc:3a40/64 scope global temporary deprecated dynamic
valid_lft 82400sec preferred_lft 0sec
inet6 x:x:x:a839:3546:462d:74e4:e284/64 scope global temporary deprecated dynamic
valid_lft 85823sec preferred_lft 0sec
inet6 x:x:x:7000:aef4:f2a8:62bc:8d8d/64 scope global temporary deprecated dynamic
valid_lft 82400sec preferred_lft 0sec
inet6 x:x:x:7000:7e83:34ff:febe:b09b/64 metric 256 scope global dynamic mngtmpaddr
valid_lft 82400sec preferred_lft 68000sec
inet6 x:x:x:a839:7c6d:b30d:b272:aebf/64 scope global temporary deprecated dynamic
valid_lft 85823sec preferred_lft 0sec
inet6 x:x:x:a839:7e83:34ff:febe:b09b/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 85823sec preferred_lft 3023sec
inet6 fe80::7e83:34ff:febe:b09b/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 7c:83:34:be:b0:9c brd ff:ff:ff:ff:ff:ff
altname enp2s0
inet 10.0.0.254/24 brd 10.0.0.255 scope global lan0
valid_lft forever preferred_lft forever
inet6 x:x:x:7001:3d40:df56:2ca8:e57/64 scope global temporary dynamic
valid_lft 82400sec preferred_lft 63479sec
inet6 x:x:x:7001:e887:62d5:fd5c:1183/64 scope global temporary deprecated dynamic
valid_lft 82400sec preferred_lft 0sec
inet6 x:x:x:7001:7e83:34ff:febe:b09c/64 metric 256 scope global dynamic mngtmpaddr
valid_lft 82400sec preferred_lft 68000sec
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::7e83:34ff:febe:b09c/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: guest@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7c:83:34:be:b0:9c brd ff:ff:ff:ff:ff:ff
inet 10.0.20.254/24 brd 10.0.20.255 scope global guest
valid_lft forever preferred_lft forever
inet6 x:x:x:7020:384c:ffca:2bb7:af47/64 scope global temporary dynamic
valid_lft 82400sec preferred_lft 64243sec
inet6 x:x:x:7020:6f98:4139:a482:f1eb/64 scope global temporary deprecated dynamic
valid_lft 82400sec preferred_lft 0sec
inet6 x:x:x:7020:7e83:34ff:febe:b09c/64 metric 256 scope global dynamic mngtmpaddr
valid_lft 82400sec preferred_lft 68000sec
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::7e83:34ff:febe:b09c/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
6: iot@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7c:83:34:be:b0:9c brd ff:ff:ff:ff:ff:ff
inet 10.0.10.254/24 brd 10.0.10.255 scope global iot
valid_lft forever preferred_lft forever
inet6 x:x:x:7010:e395:3d0:37d9:2be/64 scope global temporary dynamic
valid_lft 82400sec preferred_lft 63524sec
inet6 x:x:x:7010:5ccf:38dc:555e:a054/64 scope global temporary deprecated dynamic
valid_lft 82400sec preferred_lft 0sec
inet6 x:x:x:7010:7e83:34ff:febe:b09c/64 metric 256 scope global dynamic mngtmpaddr
valid_lft 82400sec preferred_lft 68000sec
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::7e83:34ff:febe:b09c/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
7: management@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7c:83:34:be:b0:9c brd ff:ff:ff:ff:ff:ff
inet 10.0.30.254/24 brd 10.0.30.255 scope global management
valid_lft forever preferred_lft forever
inet6 x:x:x:7030:2e30:b0b1:8c51:a572/64 scope global temporary dynamic
valid_lft 82400sec preferred_lft 63118sec
inet6 x:x:x:7030:a321:4fcd:7e25:c127/64 scope global temporary deprecated dynamic
valid_lft 82400sec preferred_lft 0sec
inet6 x:x:x:7030:7e83:34ff:febe:b09c/64 metric 256 scope global dynamic mngtmpaddr
valid_lft 82400sec preferred_lft 68000sec
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::7e83:34ff:febe:b09c/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
➜ ip r
default via 80.x.x.x dev wan0 proto dhcp src x.x.x.x metric 1024
10.0.0.0/24 dev lan0 proto kernel scope link src 10.0.0.254
10.0.10.0/24 dev iot proto kernel scope link src 10.0.10.254
10.0.20.0/24 dev guest proto kernel scope link src 10.0.20.254
10.0.30.0/24 dev management proto kernel scope link src 10.0.30.254
80.x.x.x/20 dev wan0 proto kernel scope link src 80.x.x.x metric 1024
80.x.x.x dev wan0 proto dhcp scope link src 80.x.x.x metric 1024
guestAuf den und VLANs funktioniert alles gut iot, das Problem liegt bei dem managementeinen.
In diesem Netzwerk befinden sich derzeit keine anderen Geräte, aber wenn ich meinen Laptop daran anschließe, indem ich eine Schnittstelle mit der richtigen VLAN-ID erstelle, werden mir ARP-Anfragen für öffentliche IPs angezeigt, die offensichtlich außerhalb des Subnetzes liegen.
Dies ist die Netzwerkkonfiguration des Laptops:
➜ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
link/ether f4:4d:ad:02:ac:fd brd ff:ff:ff:ff:ff:ff
altname enp0s20f0u1u2u1
inet 10.0.0.55/24 metric 1024 brd 10.0.0.255 scope global dynamic lan0
valid_lft 4768sec preferred_lft 4768sec
inet6 x:x:x:7001:9667:e56d:71b:9ec8/64 scope global temporary dynamic
valid_lft 3445sec preferred_lft 1645sec
inet6 x:x:x:7001:f64d:adff:fe02:acfd/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 3445sec preferred_lft 1645sec
valid_lft 3445sec preferred_lft 1645sec
inet6 fe80::f64d:adff:fe02:acfd/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: lan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq state DOWN group default qlen 1000
link/ether 0c:37:96:96:28:5d brd ff:ff:ff:ff:ff:ff
altname enp0s20f0u1u3i5
4: wifi0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether de:5f:48:3b:4a:ee brd ff:ff:ff:ff:ff:ff permaddr 7c:b5:66:65:be:72
altname wlp1s0
5: management@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f4:4d:ad:02:ac:fd brd ff:ff:ff:ff:ff:ff
inet 10.0.30.63/24 metric 2048 brd 10.0.30.255 scope global dynamic management
valid_lft 4764sec preferred_lft 4764sec
inet6 x:x:x:7030:a44f:5260:dda1:efdd/64 scope global temporary dynamic
valid_lft 3282sec preferred_lft 1482sec
inet6 x:x:x:7030:f64d:adff:fe02:acfd/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 3282sec preferred_lft 1482sec
inet6 fe80::f64d:adff:fe02:acfd/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
6: ztzlggwhus: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq state UNKNOWN group default qlen 1000
link/ether x:x:x:x:x:x brd ff:ff:ff:ff:ff:ff
inet 172.26.x.x/16 brd 172.26.255.255 scope global ztzlggwhus
valid_lft forever preferred_lft forever
inet6 x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x/88 scope global
valid_lft forever preferred_lft forever
inet6 x:x:x::1/40 scope global
valid_lft forever preferred_lft forever
inet6 fe80::x:x:x/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
➜ ip r
default via 10.0.0.254 dev lan0 proto dhcp src 10.0.0.55 metric 1024
10.0.0.0/24 dev lan0 proto kernel scope link src 10.0.0.55 metric 1024
10.0.0.254 dev lan0 proto dhcp scope link src 10.0.0.55 metric 1024
10.0.30.0/24 dev management proto kernel scope link src 10.0.30.63 metric 2048
172.26.x.x/16 dev ztzlggwhus proto kernel scope link src 172.26.x.x
Wenn ich tcpdumpdie Verwaltungsschnittstelle vom Router oder Laptop aus ausführe, sehe ich normale IPv6-NDP-Pakete und dann eine ganze Reihe von ARP-Anfragen wie diese:
➜ sudo tcpdump -s 1500 -i management -nn -vv
tcpdump: listening on management, link-type EN10MB (Ethernet), snapshot length 1500 bytes
00:29:12.774606 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 201.206.191.36 tell 10.0.30.63, length 28
00:29:12.775206 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 50.7.252.138 tell 10.0.30.63, length 28
00:29:12.775291 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 103.195.103.66 tell 10.0.30.63, length 28
00:29:12.775434 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 84.17.53.155 tell 10.0.30.63, length 28
00:29:12.775633 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 104.194.8.134 tell 10.0.30.63, length 28
00:29:13.792744 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 104.194.8.134 tell 10.0.30.63, length 28
00:29:13.792774 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 84.17.53.155 tell 10.0.30.63, length 28
00:29:13.792779 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 103.195.103.66 tell 10.0.30.63, length 28
00:29:13.792784 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 50.7.252.138 tell 10.0.30.63, length 28
00:29:13.792788 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 201.206.191.36 tell 10.0.30.63, length 28
00:29:14.816739 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 201.206.191.36 tell 10.0.30.63, length 28
00:29:14.816779 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 50.7.252.138 tell 10.0.30.63, length 28
00:29:14.816784 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 103.195.103.66 tell 10.0.30.63, length 28
00:29:14.816788 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 84.17.53.155 tell 10.0.30.63, length 28
00:29:14.816792 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 104.194.8.134 tell 10.0.30.63, length 28
00:29:17.780657 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 70.57.30.7 tell 10.0.30.63, length 28
00:29:18.784750 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 70.57.30.7 tell 10.0.30.63, length 28
00:29:19.808723 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 70.57.30.7 tell 10.0.30.63, length 28
^C
18 packets captured
18 packets received by filter
0 packets dropped by kernel
Das finde ich sehr merkwürdig, da diese Adressen eindeutig außerhalb des Subnetzes liegen und ich daher erwartet hätte, dass der Kernel bei allen Anfragen an diese Adressen das Paket einfach an das Standard-Gateway ( 10.0.0.254ein lan0) weiterleitet und nicht einmal versucht, es über die Schnittstelle zu senden management.
Ich versuche also zu verstehen, warum diese seltsamen ARP-Anfragen für Adressen außerhalb des Subnetzes gesendet werden und ob ich etwas falsch konfiguriert habe.