It came to me in the night. It can be solved with routing. Part of Cisco's routing table: [TARGET] [MASK] [GATEWAY] [M][P] [TYPE] [IF] [AGE] 216.31.27.109 255.255.255.255 0.0.0.0 1 SHAR VIP0 0 216.31.27.104 255.255.255.248 216.31.27.109 1 SAR VIP0 0
Openwrt's routing: 216.31.27.105 dev vlan1 scope link 216.31.27.104/29 dev br0 scope link 172.17.0.0/24 dev br0 proto kernel scope link src 172.17.0.2 default via 216.31.27.105 dev vlan1 For the lan clients, you can either turn on proxy arp on openwrt for vlan1, or you can add a static route for cisco via openwrt. This works perfectly, even when the arp cache gets a lan host's mac address in it (which it still does). I can ping from outside, to outside, and a traceroute from either direction shows us going through openwrt. In addition, cisco doesn't get any entries other than openwrt in its arp cache, until the bizarre icmp-induced entries occur. There is one minor glitch that isn't going to bother me. I can't ping the cisco from some hosts in the LAN. I'm not sure why, but the ping replies are headed for the value in the arp cache from cisco, regardless of the routing settings. But as I don't need to connect directly to cisco (I can get to it through minicom or openwrt as needed) and everything else works, I'm not concerned. On Fri, 9 Mar 2007 at 00:13 -0700, Hans Fugal wrote: > On Thu, 8 Mar 2007 at 23:32 -0700, Michael Torrie wrote: > > On Thu, 2007-03-08 at 22:06 -0700, Hans Fugal wrote: > > > Absolutely not. NAT is out of the question. NAT always causes more > > > problems than it solves, even in enterprise. In enterprise, you have > > > full-time sysadmins to go around chasing NAT issues and keeping a > > > semblance of normalcy. I know, I used to be one. I will set my network > > > up and just let it run. I will not be a slave to NAT. > > > > I disagree. Static one-to-one NAT (think of it as a layer 3 bridge) is > > clean and effective. You do just set it up once and let it run. No > > one's a slave to anything. Once you introduce dynamic NATing, then, > > yes, you will likely have problems. I have never had to chase down NAT > > problems. It just works. What problems have you observed? > > VOIP and bittorrent come to mind. Broken but widespread protocols, like > SIP, that embed IP information inside the protocol. > > > > > You can do this by either creating 4 virtual interfaces on the openwrt > > > > box, or using some kind of proxyarp solution. > > > > > > Proxy ARP is the magic I needed. > > > http://www.sjdjweis.com/linux/proxyarp/ > > > > I see from my 5 second skim that the setup described here seems to be > > similar to yours. > > > > I'm not quite sure I understand your final setup, though. Would you > > care to elaborate for us? > > Sure. openwrt has two interfaces of interest. vlan1 is the port that > cisco is connected to, and has a public address (27.109). br0 is the > ports that everything else is connected to, and has a private address > (0.2). I did try it with br0 having the same address as vlan1, as > outlined in that article, and it worked fine also (same problem in > the end though). > > Then I set up the routing as follows: > > openwrt# ip route > 216.31.27.105 dev vlan1 scope link > 216.31.27.104/29 dev br0 scope link > 172.17.0.0/24 dev br0 proto kernel scope link src 172.17.0.2 > default via 216.31.27.105 dev vlan1 > > I turn on proxy arp in /proc/sys/net/ipv4/conf/{vlan1,br0}/proxy_arp, > and set /proc/sys/net/ipv4/conf/{all,default}/proxy_ignore to 0 (it's > apparently 1 by default on openwrt). > > Finally I remove vlan1 from br0. > > When I type "show arp" on the cisco, it gives me what I expect - > everyone has the same MAC address (the address of openwrt), until one of > those ping replies flies out with the real MAC address still embedded > and cisco updates the cache for that host. > > -- > Hans Fugal ; http://hans.fugal.net > > There's nothing remarkable about it. All one has to do is hit the > right keys at the right time and the instrument plays itself. > -- Johann Sebastian Bach > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ -- Hans Fugal ; http://hans.fugal.net There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself. -- Johann Sebastian Bach
signature.asc
Description: Digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
