Re: [LARTC] Proxy ARP with a Coyote Point equalizer

[Grant Taylor <gtaylor@riverviewtech.net>]

On 5/30/2007 6:46 PM, Greg Scott wrote:
> Here is the problem.  Behind the firewall is a Coyote Point Equalizer 
> at 1.2.3.10, with a high-volume website behind it spread across 
> several servers.  Every time I put this proxy ARP firewall in place, 
> that nasty Coyote Point box dies and this breaks the high volume 
> website behind it and makes lots of people mad.  I've never seen a 
> Coyote Point Equalizer but I have a hunch it might not get along well 
> with a proxy ARP device in its same network.

Hrm...

> Proxy ARP really means proxy ARP - that firewall answers ARP requests 
> for anything and everything it sees, for any network.  This also has 
> consequences for new devices that try to be polite when they set IP 
> Addresses for themselves by ARPing to see if anyone else answers at 
> that address.  Is there a way to limit proxy ARP to a list of IP 
> Addresses?

This will be Proxy ARP implementation specific.  I have no idea whether 
or not Linux can be configured to behave as you are asking or not.

> Or - should I forget proxy ARP and look at bridging instead?

Having just (briefly) brushed up on Proxy ARPing, I can see how it would 
be a problem for a load balancer.  Most load balancers work on a couple 
of different levels, either IP <-> MAC spoofing, or NATing.  The former 
method is probably what is happening and thus having a problem with your 
Proxy ARP router / firewall.

Consider if you will a host out side of the Proxy ARP router / firewall 
trying to connect to an IP address that is both behind the Proxy ARP 
router / firewall AND the load balancer.  If the load balancer changes 
the MAC address that the IP address belongs to, the Proxy ARP router / 
firewall will inevitably end up pointing to the wrong internal MAC.  How 
will the load balancer handle the traffic when it does not start flowing 
to the alternative MAC like it wants?  I can not say.  But, I do see a 
very big potential for a conflict.  In said conflict, I can not say any 
thing to how any of the equipment will fail.  Thus, you could end up in 
the scenario you are in now.

I can't say for sure as to whether or not you should forget about proxy 
ARP or not, but I can say for sure that bridging will do what you are 
wanting to do very well.

Bridging will pass the ARP requests in directly to the load balancer 
like it is expecting so that it can control things the way that it wants 
to.  This means that when the load balancer alters the IP <-> MAC 
mapping, the upstream device on the other side of the bridge will see 
the changed MAC address.

I think I would go the bridging route.

> Can I do bridging and still access the bridged interfaces remotely?

Most definitely!  Put your IP address on the bridge interface.

I.e. eth0 and eth1 are bridged together by br0.

ifconfig br0 1.2.3.2 netmask 255.255.255.0

You will be able to access 1.2.3.2 from either side of the bridge.  That 
is presuming that you do not use EBTables / IPTables to filter the 
bridged traffic.  In other words, so long as you are not doing any layer 
2 filtering yes.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc