Hi, Julien Cigar wrote:
On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote:Hi,I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface:em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:0c:29:61:2a:55 inet 10.0.80.77 netmask 0xffffff00 broadcast 10.0.80.255 media: Ethernet autoselect (1000baseTX <full-duplex>) status: activebridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500ether 9a:6a:9f:b2:65:da id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 11 priority 128 path cost 2000000 member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 2 priority 128 path cost 20000tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500ether 00:bd:48:03:00:00 Opened by PID 24616 carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 10.0.80.74 netmask 0xffffff00 carp: MASTER vhid 2 advbase 1 advskew 0The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them:# tcpdump -i tap0 -ln 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6Is there any way to get the server to respond to arp requests on tap0 for the VIP?Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 22.214.171.124 MAC foo) ..
Thanks for the suggestion.Ok, static arp works: that is, if I take the carp1 mac address and add it to the arp table using:
arp -s 10.0.80.74 00:00:5e:00:01:02 pubThe ping starts to work. I'm still a bit confused why I have to do this though, because I can ping the non-shared IP 10.0.80.77 from the VPN client (via tap0) without any static arp, and I can ping the shared VIP (10.0.80.74) from clients on the physical network (em1) as well without any static arp. It's only when the ping it has to cross the bridge that it's an issue.
Description: S/MIME Cryptographic Signature