ARP request from router and monitoring server

[aychprox]

Hi,

I saw latest release of pve-firewall (3.0-19) is equipped with ebtables: add arp filtering.

My cluster running in multicast mode and no VLAN implemented from my upstream router. Host and vm network using openvswitch with different physical interfaces.

Issue:
When using iptraf-ng either from host or VM, we can see a lot of arp request which generate incoming traffic about 100kb/s, it looks like some sort of arp flood:

ARP request for 43.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1
UDP (78 bytes) from 169.**MASK** to 169.**MASK** on vmbr1
ARP request for 43.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1
ARP request for 103.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1 ARP request for 10.**MASK** (46 bytes) from 74:d4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1 ARP request for 43.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1 ARP request for 103.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1

Mainly this arp request come from router and zabbix server.
Although we drop at host and vm level using arptable and iptables, but incoming arp still persists and hit to host and vm.

May I know how to eliminate this kind of issue by using ebtables?

 

[Richard]

Hi,

I saw latest release of pve-firewall (3.0-19) is equipped with ebtables: add arp filtering.

My cluster running in multicast mode and no VLAN implemented from my upstream router. Host and vm network using openvswitch with different physical interfaces.

Issue:
When using iptraf-ng either from host or VM, we can see a lot of arp request which generate incoming traffic about 100kb/s, it looks like some sort of arp flood:

ARP request for 43.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1
UDP (78 bytes) from 169.**MASK** to 169.**MASK** on vmbr1
ARP request for 43.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1
ARP request for 103.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1 ARP request for 10.**MASK** (46 bytes) from 74:d4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1 ARP request for 43.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1 ARP request for 103.**MASK** (46 bytes) from 0c:c4**MASK** to ff:ff:ff:ff:ff:ff on vmbr1

Mainly this arp request come from router and zabbix server.
Although we drop at host and vm level using arptable and iptables, but incoming arp still persists and hit to host and vm.

May I know how to eliminate this kind of issue by using ebtables?

In principle yes but openvswitch does not work with ebtables, but should work if you use linux bridges instead.

The proper way to implement request is to use arptables, e.g.:

arptables -A INPUT --source-mac 0c:c4:11:22:33:44  -j DROP

Note: the "ebtables" option in Proxmox means only that Proxmox will use ebtables feature internally when defining firewalls for VMs and containers. In your case you have to specify the ebtables commands explicitly.