My Issue has been resolved by:
echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce
r...@# cat /proc/sys/net/ipv4/conf/eth0/arp_announce
2
Documentation is in the 2.6 kernel docs
(linux/Documentation/networking/ip-sysctl.txt) (here from the 2.6.17
kernel).
arp_announce - INTEGER
Define different restriction levels for announcing the local
source IP address from IP packets in ARP requests sent on
interface:
0 - (default) Use any local address, configured on any interface
1 - Try to avoid local addresses that are not in the target's
subnet for this interface. This mode is useful when target
hosts reachable via this interface require the source IP
address in ARP requests to be part of their logical network
configured on the receiving interface. When we generate the
request we will check all our subnets that include the
target IP and will preserve the source address if it is from
such subnet. If there is no such subnet we select source
address according to the rules for level 2.
2 - Always use the best local address for this target.
In this mode we ignore the source address in the IP packet
and try to select local address that we prefer for talks with
the target host. Such local address is selected by looking
for primary IP addresses on all our subnets on the outgoing
interface that include the target IP address. If no suitable
local address is found we select the first local address
we have on the outgoing interface or on all other interfaces,
with the hope we will receive reply for our request and
even sometimes no matter the source IP address we announce.
The max value from conf/{all,interface}/arp_announce is used.
Increasing the restriction level gives more chance for
receiving answer from the resolved target while decreasing
the level announces more valid sender's information.
Tested successfully with shorewall-perl 4.4.6-1 on Debian and
shorewall-shell_4.0.15-1_all.deb
11:57:31.184988 00:15:17:cc:dd:90 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), length 42: arp who-has 198.32.212.41 tell 198.32.212.73
11:57:31.185397 00:0c:db:34:83:00 > 00:15:17:cc:dd:90, ethertype ARP
(0x0806), length 60: arp reply 198.32.212.41 is-at 00:0c:db:34:83:00
Many Thanks,
Trent O'Callaghan
Network Manager
www.nearmap.com
From: Tom Eastep [mailto:[email protected]]
Sent: Thursday, 4 February 2010 11:28 PM
To: Shorewall Users
Cc: [email protected]
Subject: Re: [Shorewall-users] SNAT/ARP issue -
shorewall-shell_4.0.15-1_all.deb
Tom Eastep wrote:
> Tom Eastep wrote:
>> Trent O'Callaghan wrote:
>>> MASQ/SNAT and ARP are interacting in a way that is causing outbound
>>> connectivity issues in periods of low traffic (when ARP entries
timeout).
>>> Tcpdump of ARP packets shows who-has packets with the SNAT IP address
when I
>>> need them to have the Firewall's Interface IP address as their source.
>>>
>>> I have modified MASQ to SNAT to the Firewall's Interface IP address for
the
>>> Peering network (via 198.32.212.73), but outbound traffic is normally to
>>> more distant networks and my default route is to the Paid Internet (via
>>> 121.200.226.210).
>>>
>>> I have seen some have scripted ARP watchers that could assist but I
believe
>>> this is something Shorewall can cope with, but I am lacking in the
>>> knowledge.
>>>
>>> r...@per-r1:/etc/shorewall# ifconfig -a
>>> eth0 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90
>>> inet addr:121.200.226.210 Bcast:121.200.226.211
>>> Mask:255.255.255.252
>>> eth0:1 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90
>>> inet addr:198.32.212.73 Bcast:198.32.212.255
Mask:255.255.255.0
>>> eth0:2 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90
>>> inet addr:180.233.131.7 Bcast:180.233.131.255
Mask:255.255.255.0
>>> eth1 Link encap:Ethernet HWaddr 00:15:17:cc:dd:91
>>> inet addr:10.240.0.1 Bcast:10.240.0.255 Mask:255.255.255.0
>>>
>>> r...@per-r1:/etc/shorewall# ip route show table main | grep -v zebra
>>> 121.200.226.208/30 dev eth0 proto kernel scope link src
121.200.226.210
>>> 198.32.212.0/24 dev eth0 proto kernel scope link src 198.32.212.73
>>> 180.233.131.0/24 dev eth0 proto kernel scope link src 180.233.131.7
>>> 10.240.1.0/24 dev eth1 proto kernel scope link src 10.240.1.1
>>> default via 121.200.226.209 dev eth0 metric 100
>>>
>>> #
>>> # Shorewall version 4 - Masq file
>>> #
>>> eth0:!198.32.212.0/24 eth1:!10.240.1.7 180.233.131.7
>> Ah! I took one more look at your report and I seriously doubt that the
>> above rule does what you expect. Rewrite it as:
>>
>> eth0:!198.32.212.0/24 10.240.0.0/24!10.240.1.7
>
> In fact, the current version of Shorewall (4.4.6) rejects that type of
rule:
>
> gateway:/etc/shorewall# shorewall check
> Compiling...
> WARNING: Using an interface as the masq SOURCE requires the interface
> to be up and configured when Shorewall starts/restarts :
> /etc/shorewall/masq (line 7)
> ERROR: SOURCE interface may not be specified with a source IP address
> in the POSTROUTING chain : /etc/shorewall/masq (line 7)
> gateway:/etc/shorewall#
>
> Are you still using Shorewall-shell?
Duh -- just looked at the Subject again. I suggest that you look at
http://www.shorewall.net/LennyToSqueeze.html. Also, note that the Debian
Shorewall maintainer has Shorewall 4.4 packages available for Lenny; a
link to his site can be found on the Shorewall download page.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
