arp corrupted

[Bobby <bobby@d4business.com>]

Hi,

I've been trying to get a couple of routers up after h/w failure.

The border router is an OpenBSD firewall running NAT between the Internet and 
a DMZ like subnet, and in that a Linux antivirus server is running NAT to the 
LAN. 

When the client does a DNS query it reaches to the f/w where dns is running 
and is returned into the A/V server but never hits the 0.254 interface. 
(Shown by running tcpdump on each interface.)

(Internet)
	|
OpenBSD Firewall 
NAT 192.168.1.254
	|
192.168.1.253 eth0
Anti-Virus in "DMZ"
192.168.0.254 eth1
	|
192.168.0.11
Client on LAN

The routing table on the A/V server is:
 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
 192.168.0.0     192.168.0.254   255.255.255.0   UG        0 0          0 eth1
 192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
 0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 eth0

Sitting on the A/V server one can reach the client without problem.

Arp shows:
 Address             HWtype  HWaddress           Flags Mask            Iface
 192.168.1.254        ether   00:20:78:0F:AC:31   C                     eth0

Unless I try to reach the client web server from the A/Vserver, then it fails 
and arp says:

 Address              HWtype  HWaddress           Flags Mask            Iface
 corp.domain.com          (incomplete)                              eth0
 dell11.domain.com  ether   00:06:29:AF:A3:67   C                 eth1
 192.168.1.254            ether   00:20:78:0F:AC:31   C                   eth0

One can also see the arp requests go out on eth 0 rather than eth1:

 arp who-has 192.168.0.10 tell 192.168.0.254

Pinging works well:

 PING 192.168.0.11 (192.168.0.11) 56(84) bytes of data.
 64 bytes from 192.168.0.11: icmp_seq=0 ttl=64 time=0.277 ms

Iptables on the A/V server says:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 9080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-port 9110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 25 -j REDIRECT --to-port 9025
-A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j REDIRECT --to-port 9021
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:Firewall-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
COMMIT

It is supposed to route all outbound traffic through the various ports where 
the A/V s/w is listening.

ifconfig shows:

eth0      Link encap:Ethernet  HWaddr 00:0D:88:39:6A:F1
          inet addr:192.168.1.253  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20d:88ff:fe39:6af1/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:77670 errors:0 dropped:0 overruns:0 frame:0
          TX packets:97635 errors:0 dropped:0 overruns:0 carrier:0
          collisions:523 txqueuelen:1000
          RX bytes:22858238 (21.7 MiB)  TX bytes:21513745 (20.5 MiB)
          Interrupt:11 Base address:0x2400

eth1      Link encap:Ethernet  HWaddr 00:50:FC:AC:52:4B
          inet addr:192.168.0.254  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::250:fcff:feac:524b/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:26676 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20424 errors:0 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2747567 (2.6 MiB)  TX bytes:26324006 (25.1 MiB)
          Interrupt:7 Base address:0x2800

If NAT did not work I could see it having a problem. It appears to be happy 
routing icmp but not tcp. cat /proc/sys/net/ipv4/ip_forward shows 1 which it 
would have to anyway since the request goes out from the LAN.


-- 

Bobby