Hi Tom
Thank you for your reply.
> Only if it is receiving those arp requests on an interface other than
> the one with the most specific route to the other firewall's
> internal IP
> address. It the other firewall's IP in a different IP network from the
> Shorewall box's internal net?
Yes, the firewalls have no knowledge of each other nor of the other
network "behind" them.
Of course you're right this is not the best setup network-wise as we
_should_ have routes to both local ip subnets in both firewalls.
But we want to test the full routing through both providers during the
transition phase before shutting down the first one.
>>
>> Of course manually resetting the /proc/sys/net/ipv4/conf<interface>/
>> proxy_arp to 0 immediately solves the problem.
>> I tested this behavior with shorewall 2.2.x through 3.2.5. Could this
>> be solved in 4.x ?
>
> Proxy ARP doesn't work without it -- it will never be 'solved'.
Sorry, I should have written "changed" instead.
As for proxy arp not working without it, I believe you, but don't
really understand why.
Are you saying that proxyarp functionality - even when activated
through static public arp addresses - is completely disabled in the
kernel for the related interface when this parameter is off ? Doesn't
this parameter only relate to "automatic" proxyarp for hosts /networks
addresses in the firewall's routing table (i.e. proxyarp
subnetworking) ?
I do not need that automatic behavior, and reading the shorewall code,
the proxyarp file in shorewall does just that: add static public arp
entries. Why add those entries in shorewall if anyway shorewall will
activate the proxy_arp flag that will automatically reply based on the
routing table ? I'm further confused by this comment in the
interfaces file as it seems to imply that shorewall really knows of
"2 ways" for doing proxyarp:
(1) Manual static public entries through /etc/shorewall/proxyarp (" do
not use /proc/sys/net/ipv4/conf/<interface>/proxy_arp")
(2) automatic sub-networking through proxy_arp flag if set in the
interface file) (echo 1 > /proc/sys/net/ipv4/conf/<interface>/
proxy_arp)
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/
proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
I'll do some more checks on the arp table cache of servers behind the
firewall with the current setup, but with the parameter turned off,
the described setup is now working for days as expected.
Of course I have entries in the proxyarp file for all hosts on _both_
sides of the firewall (well on one side there is only the ISP's
gateway).
Thank you
Kind regards
Gaetan
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
