On 27/08/07 1:07, "Tom Eastep" <[EMAIL PROTECTED]> wrote: > Lars E. D. Jensen wrote: >> Hello list >> >> I'm trying to get Proxy ARP to work on a virtual xen network using >> shorewall-perl 4.0.2. >> >> I have 1 dom0 with 4 physical NICs. >> >> On each dom0 NIC I've made a bridge (except for eth1, which is used for AoE >> storage). >> >> Shorewall is running in a domU where: >> DomU eth0 is created on xenbr0 >> DomU eth1 is created on xenbr2 >> >> I've installed a domU, a DMZ server, where: >> DomU eth0 is created on xenbr2 >> >> The DMZ server should be able to access the Internet through the Shorewall >> domU. I have followed http://www.shorewall.net/ProxyARP.htm, but I get this >> in the log: >> >> dcm-firewall kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1 >> SRC=192.168.1.20 DST=89.150.129.4 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=63169 >> DF PROTO=UDP SPT=32768 DPT=53 LEN=57 >> >> Is there something basic I'm missing here? (attached a shorewall dump also) >> > > A check of Shorewall FAQ 17 (http://www.shorewall.net/FAQ.htm#faq17) > would have told you that when the IN= interface is equal to the OUT= > interface and traffic is being dropped/rejected in the FORWARD chain > that you need the 'routeback' option on the interface (eth1).
Now that's gone... > Adding that option will get rid of the message but it begs the question > why 192.168.1.20 is routing traffic to 89.150.129.4 through the > Shorewall box in the first place given that 192.168.1.20 is on the same > LAN as the firewall's default gateway. I've followed this from ProxyARP.htm: The lower systems (130.252.100.18 and 130.252.100.19) should have their subnet mask and default gateway configured exactly the same way that the Firewall system's eth0 is configured. In other words, they should be configured just like they would be if they were parallel to the firewall rather than behind it. The DMZ server 192.168.1.20 is setup with the same network config as the firewalls eth0/192.168.1.15 that is with gateway 192.168.1.1. Thanks. Lars ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
