Re: [LARTC] Proxy ARP with a Coyote Point equalizer

From: gypsy <gypsy@iswest.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Proxy ARP with a Coyote Point equalizer
Date: Thu, 31 May 2007 06:49:59 +0000	[thread overview]
Message-ID: <465E7017.52BF668A@iswest.com> (raw)
In-Reply-To: <925A849792280C4E80C5461017A4B8A210B7F9@mail733.InfraSupportEtc.com>

Greg Scott wrote:
> 
> Here is a puzzle.
> 
> I have a network with several servers. It's a mess.  It's a /24 and
> pieces and servers are all over the place inside this /24 block, on both
> sides of the firewall.  For example, the router at 1.2.3.1 is outside
> the firewall and many of the servers at 1.2.3.nnn/24 are behind the
> firewall.  (Obviously, 1.2.3.nnn is a fudged network.)
> 
> eth0 points outward to the Internet.
> eth1 points inward to the serers.
> 
> Both eth0 and eth1 have IP Address 1.2.3.2.  I setup  proxy ARP like
> this:
> 
> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
> 
> And I set up appropriate routes to the systems on both sides of the
> firewall.
> 
> This all works - all the systems route the way they are supposed to
> route.
> 
> Here is the problem.  Behind the firewall is a Coyote Point Equalizer at
> 1.2.3.10, with a high-volume website behind it spread across several
> servers.  Every time I put this proxy ARP firewall in place, that nasty
> Coyote Point box dies and this breaks the high volume website behind it
> and makes lots of people mad.  I've never seen a Coyote Point Equalizer
> but I have a hunch it might not get along well with a proxy ARP device
> in its same network.
> 
> Here are my questions:
> 
> Proxy ARP really means proxy ARP - that firewall answers ARP requests
> for anything and everything it sees, for any network.  This also has
> consequences for new devices that try to be polite when they set IP
> Addresses for themselves by ARPing to see if anyone else answers at that
> address.  Is there a way to limit proxy ARP to a list of IP Addresses?
> 
> Or - should I forget proxy ARP and look at bridging instead?  Can I do
> bridging and still access the bridged interfaces remotely?
> 
> Thanks
> 
> - Greg Scott
>   GregScott@InfraSupportEtc.com

See http://yesican.chsoft.biz/lartc/proxy-arp.conf
and http://yesican.chsoft.biz/lartc/proxy-arp.sh
to see if that helps.  The LAN interface (eth0) uses the
/proc-/proxy_arp setting while the WAN (eth1) interface uses the script.

FWIW, those are my working setups.  One computer has a WAN connection
(eth1) and all other servers inside connect to its eth0.  The above
script and config file are on that computer.  Note that both eth1 and
eth0 have the same IP (66.209.101.198) and netmask.  This machine has a
third interface (eth2) to the LAN, but that is not material here.

If the ISP changes things, which they have done a couple of times, I
have to ask them to flush their ARP cache manually because their
retention is HUGE (~70 minutes), but except for that, I've never had any
problems with this setup.  I had no success at all trying to use /proc
on eth1.
--
gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc