Data Link Layer Advertising with ladvd

ladvd

Configuring ladvd under pfSense 2.1.5.

ladvd sends LLDP (Link Layer Discovery Protocol) advertisements on all available interfaces. This makes connected hosts visible on managed switches. By default, it will run as a privilege-separated daemon. In addition to LLDP, ladvd also supports the following protocols:

  • Cisco Discovery Protocol (CDP): This is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. It can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.
  • Extreme Discovery Protocol (EDP): Another proprietary Data Link Layer protocol; this one was developed by Extreme Networks.
  • Nortel Discovery Protocol (NDP): A proprietary Data Link Layer protocol used for discovery of Nortel networking devices and certain products from Avaya and Ciena. The Device and topology information may be graphically displayed network management software. This protocol had its origin in the SynOptics Network Management Protocol (SONMP) in the 1990s. When SynOptics and Wellfleet Communications merged in 1994, the merged company was named Bay Networks, and SONMP was rebranded as the Bay Network Management Protocol (BNMP) or the Bay Discovery Protocol (BDP). When Bay Networks was itself acquired by Nortel, they renamed it the Nortel Discovery Protocol (NDP).


ladvd Installation and Configuration

To install ladvd under pfSense, navigate to System -> Packages. On the list of packages, scroll down to “ladvd”, and press the “plus” button on the right side. When the install page comes up, press the “Confirm” button to confirm installation. The installation should not take more than 5 minutes.

Once ladvd is installed, there will be a new item on the “Services” menu called “LADVD”, from which you can configure ladvd. There are two tabs on the the configuration page, “General” and “Status”. Clicking on the “General” tab will allow you to configure all the basic settings. The “Enable ladvd” check box allows you to enable or disable ladvd. The “Interfaces” list box allows you to select the interfaces to which ladvd will bind (you can select multiple interfaces). The “Auto-enable protocols” check box allows you to auto-enable protocols based on received packets. The “Silent” check box will cause ladvd to function without transmitting packets. The “Management interfaces” dropdown box allows you to select the management interfaces for this host; IPv4 and IPv6 addresses on this interface are auto-detected. In the “System Location” edit box, you can specify the physical location of the host. Finally, the last four check boxes allow you to enable specific Link Layer protocols: currently, LLDP, CDP, EDP and NDP are supported. Pressing the “ladvd” button at the bottom of the page saves the settings.

The second tab, “Status”, allows you to see information about ladvd devices as well as a detailed decode of Link Layer traffic.


External Links:

The official ladvd site

Ubuntu man page for ladvd

Arping with pfSense: Installation and Use

Arping

Arping in action under pfSense 2.1.3.

Arping is a computer software tool that is used to discover hosts on a computer network, and is available as a package for pfSense. The program tests whether a given IP address is in use on the local network, and it can get additional information about the device using that address. The utility is similar to the ping utility, which has been discussed on this site in an earlier posting. Whereas ping probes hosts using the Internet Control Message Protocol (a routable protocol that operates on the network layer of the OSI model), arping operates entirely on the data link layer.

There are two popular arping implementations. One of them, part of the Linux iputils suite, cannot resolve MAC addresses to IP addresses. However, the version of this utility that is available as a package for pfSense was written by Thomas Habets and can ping hosts by MAC address as well as by IP address.


Installing Arping

Installing this utility is easy. In the pfSense web GUI, navigate to System -> Packages and click on the “Available Packages” tab. Arping should be on the list. Scroll down to arping and click on the “plus” button on the right side to install arping. The pfSense package installer will ask you to confirm that you want to install arping; press the “Confirm” button. The package installer status window will provide information about the installation and let you know when installation is complete. once it is, arping should appear on the “Installed Packages” tab.

Using Arping

Once arping is installed, you can access arping by navigating to Services -> Arping. From there, you can enter a host ip or MAc address and press the “ARPing” button to ARP ping.

What is it good for, given that the utility essentially replicates the functionality of ping? One case where arping is helpful is when the host you want to ping is firewalled and will not respond to a ping request. Even a firewalled host will respond to ARP.

Another case is when you do not have network layer (layer 3) connectivity to the host you wish to ping (possibly because you want to find out if an IP is taken), but you have data link layer (layer 2) connectivity. Without network layer connectivity, you won’t be able to ping a host, but you can use ARP (since ARP is a data link layer protocol), albeit only for hosts on the local subnet. One note of caution is that on networks employing repeaters that use proxy ARP, the ARP response may be coming from a proxy host and not from the probed target.


External Links:

Arping website for Thomas Habets’ arping

Arping on Wikipedia

pfSense Virtual IP Addresses: Part Two

In the previous article, I covered setting up pfSense virtual IP addresses with Proxy ARP and CARP. In this article, I will cover pfSense virtual IP addreses with IP Alias and Other types.

pfSense Virtual IP Addresses: IP Alias

pfSense virtual IP addreses

Setting up a pfSense virtual IP address with IP Alias in pfSense 2.0.

IP aliasing is the ability to associate more than one IP address to a network interface. With it, one node on a network can have multiple connections to a network, each serving a different purpose. In a sense, it is the reverse of some of the other scenarios envisioned with virtual IP addresses, in which traffic for one IP address can be directed to several different nodes. IP Alias is:

  • New to pfSense 2.0 (and later)
  • Can be used or forwarded by the firewall
  • Allows entire IP addresses to be added to an interface
  • Works on Layer 2 (Data link layer)
  • Can be in a different subnet than the real interface IP
  • Will respond to a ping request if allowed by firewall rules
  • Can be stacked on top of a CARP VIP to bypass VHID limits and lower the amount of CARP heartbeat traffic. Stacked IP Alias VIPs will synchronize via XMLRPC.
  • Can be used with CARP to add additional subnets to CARP, e.g. Add one unique IP Alias from the new subnet to each node, then add CARP VIPs. Must be added to each node individually as these will not synchronize via XMLRPC or else an IP conflict would occur.


To set up a VIP using IP Alias, start at Firewall -> Virtual IPs and once again click on the “plus” button to add a new virtual IP address. Select “IP Alias” as the “Type” with the radio buttons at the top. For “Interface“, select “WAN” (it should be the default). At “IP Addresses“, type an address at “Address” (everything else should be grayed out). At “Description“, add a description if desired. Click on the “Save” button to save the changes, and then on the next screen, click on “Apply changes” if necessary.


pfSense Virtual IP Addresses: Other

“Other” is the only option of the four provided for VIPs in pfSense 2.0 that can be used if routed to the firewall without needing ARP/Layer 2 messages. Its properties are:

  • Can only be forwarded by the firewall
  • Can be in a different subnet than the interface
  • Cannot respond to pings
  • Can be added individually or as a subnet to make a group of VIPs (As of 2.1)
  • Can be used with CARP, e.g. subnet routed to external CARP VIP

Notably, both IP Alias and Other can be used for clustering (master firewall and standby failover firewall).
To add a virtual IP of type “Other”, again navigate to Firewall -> Virtual IPs and click the “plus” button to add a new virtual IP address. At type, choose “Other” with the radio buttons. At “Interface“, select “WAN” (the default). At “IP Addresses“, type an address at “Address” (all other options are grayed out). At “Description“, add a description if desired. Then press “Save” to save the changes and press “Apply changes” if necessary.

As you can see, setting up pfSense virtual IP addresses is almost trivially easy. The more difficult task is deciding which type of VIP is suited for your requirements and choosing accordingly. The official pfSense documentation site has a table which lists some of the features of the different pfSense VIP types, and I am reprinting it here:

VIP Features Table

VIP Features
VIP Type Version NAT Binding ARP/L2 Clustering In Subnet Subnet Mask ICMP Single/Group
CARP 1.x+ Yes Yes Yes Yes Yes Yes Yes Single
Proxy ARP 1.x+ Yes No Yes No No n/a No (1) Either
Other 1.x+ Yes No No Yes (2) No n/a No (1) Either
IP Alias 2.0+ Yes Yes Yes See Notes No No Yes Single

1: ICMP Column represents responses from the firewall itself without NAT. With 1:1 NAT, any VIP will pass ICMP through to the target device. On 2.1+ ICMP can also be used as a protocol in port forward entries.
2: “Other” type VIPs are for routed subnets, and CARP is irrelevant, so they work

External Links:

What are Virtual IP Addresses? at doc.pfsense.org

pfSense Virtual IP Addresses: Part One

pfSense Virtual IP Addresses

Virtual IP address configuration page in pfSense.

A virtual IP address (VIP or VIPA) is an IP address that is not assigned to a specific single server or network interface card (NIC). Rather, it is assigned to multiple applications on a single server, multiple domain names, or multiple servers. Normally, a server IP address depends on the MAC address of the attached NIC, and only one logical IP may be assigned per card. However, VIP addressing enables hosting for several different applications and virtual appliances on a server with only one logical IP address. VIPs have several variations and implementations, including Common Address Redundancy Protocol (CARP) and Proxy Address Resolution Protocol (Proxy ARP).

pfSense Virtual IP Addresses: Proxy ARP

pfSense allows four types of virtual IP addresses: Proxy ARP, CARP, Other, and IP Alias. In this article, I will cover how to configure pfSense virtual IP addresses using Proxy ARP and CARP.


The different types of virtual IP addresses have slightly varied properties. With proxy ARP, the properties are:

  • Can only be forwarded by the firewall (cannot be used by the firewall)
  • Uses Layer 2 (the data link layer) traffic
  • Can be in a different subnet than the interface
  • Cannot respond to pings
pfSense Virtual IP Addresses

Once the Virtual IP has been entered and saved, it is added to the list.

To configure a Proxy ARP virtual IP address, browse to Firewall -> Virtual IPs and Click the “plus” button to add a new virtual IP address. At type, there are four radio buttons; select the radio button for “Proxy ARP” (it should be the default selection). For “Interface”, select “WAN”. At “IP Address(es)“, select “Single address” for “Type” (this should be the default). At “Address“, specify an IP address. At “Description“, enter a description if desired. Then press “Save” to save the changes and “Apply changes” to apply changes if necessary.

Now, the newly-created VIP should be listed at the “Virtual IPs” tab at Firewall -> Virtual IPs.

pfSense Virtual IP Addresses: CARP

You can also configure a virtual IP with CARP in pfSense 2.0. The properties for a CARP VIP include:

  • Can be used or forwarded by the firewall
  • Uses Layer 2 (data link layer) traffic
  • Should be used in firewall fail-over or load-balancing scenarios
  • Must be in the same subnet as the interface
  • Will respond to pings if configured properly

To set up a CARP virtual IP address, browse to Firewall -> Virtual IPs and click the “plus” button to add a new virtual IP address. At “Type“, select the “CARP” radio button, and at “Interface“, select “WAN” (it should be the default). At “IP address(es)“, specify an IP address. At “Virtual IP Password“, specify a password. At “VHID Group“, choose a group. At “Advertising Frequency“, select a frequency (0 for master). At “Description“, add a description if desired. Then press “Save” to save the changes and “Apply changes” to apply the changes if necessary.

In part two of this series, I will cover setting up virtual IP addresses with IP Alias and Other types.

Once again, the “Virtual IPs” tab under Firewall -> Virtual IPs should display the newly-created VIP within the list of pfSense virtual IP addresses. In part two, I will cover IP aliases (new to pfSense 2.0) and other VIPs.


External Links:

What are Virtual IP Addresses? at doc.pfsense.org

© 2013 David Zientara. All rights reserved. Privacy Policy