Re: [Shorewall-users] Troubleshooting ProxyARP

Jan Mulders Sun, 10 Jun 2007 12:19:28 -0700

I can't ping .177... Perhaps it's the broadcast address for my IP range: if
another machine can't find my mac address, it sends it to the broadcast
address which spams it out over my subnet?


[EMAIL PROTECTED] [~]# ping 67.159.49.177
PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data.

--- 67.159.49.177 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 4998ms

32/0.014 ms, pipe 2


I've tried flushing the arp cache on my machine, and I don't think it's an
issue with my ISP (why would .177 be arping if it was cached?).

My network diagram is along the lines of:

[a bunch of computers] - each with IP address 67.159.49.179-190, connected
via a vpn to tun0
        |
        |
[tun0 on my shorewall box] - 67.159.49.178 for convenience's sake
[shorewall with proxyarp between the two interfaces]
[eth0 on my shorewall box] - 67.159.44.246
|
[the wild internet] - where I've been assigned 44.246 for my server, and a
range of 13 usable addresses - 49.178 to 49.190.

Any bright ideas?

Thanks for the reply.

Jan



On 10/06/07, Jerry Vonau <[EMAIL PROTECTED]> wrote:


Jan Mulders wrote:
> Hello all.
>
> Having a few troubles with ProxyARP - Despite being configured in what
> looks
> to be a correct manner, my server is not responding to incoming ARP
> queries.
> Take a look:
>
> One machine (external to this entire network) pinging 67.159.49.180, a
> client on my VPN interface, tun0:
> seeds:~# ping 67.159.49.180
> PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data.
> [no responses]
>
> My firewall machine, which is configured to proxyarp traffic between
eth0
> and tun0 (see later for configs):
> [EMAIL PROTECTED] [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst
> 67.159.49.180
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177
> 11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177
> 11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177
>

>From where I am, I can ping 67.159.49.177 and .178 only

> The output of 'arp -n' on the firewall machine:
>
> [EMAIL PROTECTED] [~]# arp -n
> Address                  HWtype  HWaddress           Flags Mask
> Iface
> 67.159.44.1              ether   00:D0:01:1E:50:0A   C
> eth0
> 67.159.49.184            *       *                   MP
> eth0
> 67.159.49.185            *       *                   MP
> eth0
> 67.159.49.186            *       *                   MP
> eth0
> 67.159.49.187            *       *                   MP
> eth0
> 67.159.49.188            *       *                   MP
> eth0
> 67.159.49.189            *       *                   MP
> eth0
> 67.159.49.190            *       *                   MP
> eth0
> 67.159.49.179            *       *                   MP
> eth0
> 67.159.49.180            *       *                   MP
> eth0
> 67.159.49.181            *       *                   MP
> eth0
> 67.159.49.182            *       *                   MP
> eth0
> 67.159.49.183            *       *                   MP
> eth0

Can you ping .177 from the firewall?
>
> My ifconfig:
>
> [EMAIL PROTECTED] [~]# ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:E0:4C:77:85:4A
>          inet addr:67.159.44.246  Bcast:67.159.44.255  Mask:
255.255.255.0
>          inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:60822 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:1000
>          RX bytes:4747174 (4.5 MiB)  TX bytes:623330 (608.7 KiB)
>          Interrupt:169 Base address:0x6000
>
> eth0:1    Link encap:Ethernet  HWaddr 00:E0:4C:77:85:4A
>          inet addr:66.90.117.9  Bcast:66.90.117.255  Mask:255.255.255.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          Interrupt:169 Base address:0x6000
>
> lo        Link encap:Local Loopback
>          inet addr:127.0.0.1  Mask:255.0.0.0
>          inet6 addr: ::1/128 Scope:Host
>          UP LOOPBACK RUNNING  MTU:16436  Metric:1
>          RX packets:116 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:116 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:12509 (12.2 KiB)  TX bytes:12509 (12.2 KiB)
>
> tun0      Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>          inet addr:67.159.49.178  P-t-P:67.159.49.178  Mask:
255.255.255.240
>          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:100
>          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>
> (tun0 is handing out IPs to clients as .179, .180, etc)
>
> I have been given a /28 by my ISP, giving me 13 usable IPs. I've handed
all
> but one of these out to my clients on tun0 (except for .178, which I'm
> using
> for hosting DNS and other things the clients should use directly).
>
> Interestingly, the machine complaining about the lack of arp is
> 67.159.49.177, which is one off the beginning of my range. Perhaps
related
> to the 'network', 'router', and 'broadcast addresses of my IP range?
>

What is .177? The router/gateway for the rest of the lan?

> My proxyarp configuration:
>
> #ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE
PERSISTENT
> # 67.159.49.178  tun0   eth0   no  # commented out for tun0 ip use
> 67.159.49.179  tun0   eth0   no
> 67.159.49.180  tun0   eth0   no
> 67.159.49.181  tun0   eth0   no
> 67.159.49.182  tun0   eth0   no
> 67.159.49.183  tun0   eth0   no
> 67.159.49.184  tun0   eth0   no
> 67.159.49.185  tun0   eth0   no
> 67.159.49.186  tun0   eth0   no
> 67.159.49.187  tun0   eth0   no
> 67.159.49.188  tun0   eth0   no
> 67.159.49.189  tun0   eth0   no
> 67.159.49.190  tun0   eth0   no
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> Can anyone figure out why a previously working configuration (it worked
> fine
> last night!) would suddenly stop working? Why would my machine stop
> responding to arp requests? Have I broken something, or

arp cache maybe?

> overlooked/misunderstood/misconfigured anything?
>
> Any and all help will be greatly appreciated.

Maybe, need a better understanding of your layout.
.180's gateway is get to what?
What does ip route ls look like? Better yet how about a dump?

Jerry


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Troubleshooting ProxyARP

Reply via email to