Bridging and ARP issues

[Andrew Over <ajo@acm.org>]

Hi.

I've just tried upgrading to 2.9 (from 2.8) and I've found that my
firewall configuration is now broken.

Courtesy of pacbell, I have a 29-bit network address (x.x.x.208/29),
which I've configured as follows (excuse the ASCII art):


                                            ----- ...
                                           /
          Modem     ne3     OpenBSD   dc0 /                
DSL <-> |x.x.x.209!------|x..x.x.214|--------|x.x.x.210|
                                          \
                                           \
                                            ----- ...


The OpenBSD box has two NICs, ne3 on the modem side, and dc0 in the
internal side.  It's configured to do transparent bridging and
filtering, and also has an IP assigned to the internal interface
(dc0).

Under 2.8 everything worked fine, with the two interfaces bridged
happily, and everything externally accessible.

Under 2.9 (both release and the most up to date OPENBSD_2_9), the
OpenBSD box ignores arp replies from the modem (.209).

Under 2.9 release, I was seeing:

arp: attempt to add entry for xx.xxx.xxx.209 on dc0 by
00:10:67:00:d1:a1 on ne3

Under the 2.9 branch, I don't see these messages, but it's still
broken.  Initially the modem's arp address is unknown, but given
enough time, it is recorded.  However, it still remains unused, and no
traffic destined for the modem (and hence the default gateway) makes
it out from the OpenBSD box.

When the arp is recorded, it is recorded on dc0 (the internal
interface).  Based on blinking lights, it seems that outgoing pings
destined for the modem are sent out ne3, but are either incorrect, or
the replies are dropped (it is possible to ping the gateway from
internal boxen).

Meanwhile, the internal network (ie anything on dc0) is totally
accessible to the OpenBSD box, and it is bridging (and filtering)
traffic correctly.

Any ideas?

Thanks,
--Andrew

[Please CC me, I'm not on the list]