* [LARTC] Proxy-ARP
@ 2002-11-17 14:11 S Mohan
2002-11-18 5:49 ` Martin A. Brown
2002-11-18 7:42 ` S Mohan
0 siblings, 2 replies; 3+ messages in thread
From: S Mohan @ 2002-11-17 14:11 UTC (permalink / raw)
To: lartc
I'm working with LEAF boxes as gateway machines. I'm trying to implement
Proxy-ARP to build a bandwidth manager for my network. I've gone as per
the lartc howto to implement a transparent bridge in an existing network
and plan to put in my tc script after this. I'm configuring the box as a
standalone one before plugging it into the network. I'm getting an error
when I try to delete a route for local LAN addresses thro' the external
interface in order to put in a specific one to route only packets meant
for the router's interface thro' that ethernet interface on the LEAF
box. The kernel version is 2.4.18 patched with htb and ipsec. Iproute2
is also installed.
My intended network goes as below. I put up a LEAF box to try this. LAN
Config is as under
10.0.1.1
Internet +-----------------+ eth0+-----------+eth1 |
======> | Router/ VPN Box |----------|LEAF Bering|----------| LAN
Leased +-----------------+ 10.0.1.4+-----------+10.0.1.4 |
10.0.1.x
I set up interfaces file and checked all the settings. I'm unable to
delete the route for eth0 for 10.0.1.x addresses. I'm giving below the
transcript. I'm not able to figure out what the problem is. Can you help
me put this up please?
<transcript>
#ip li sh
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:21:f3:0a:4f brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:21:f4:50:e7 brd ff:ff:ff:ff:ff:ff
#ip addr sh
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:21:f3:0a:4f brd ff:ff:ff:ff:ff:ff
inet 10.0.1.4/24 brd 10.0.1.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:21:f4:50:e7 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.4/24 brd 10.0.1.255 scope global eth1
#ip ro sh
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.4
10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.4
default via 10.0.1.1 dev eth0
#cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
1
#cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
1
#ip ro del 10.0.1.0/24 via 10.0.1.4 dev eth0
RTNETLINK answers: No such process
#ip ro add 10.0.1.1/24 via 10.0.1.4 dev eth0
#ip ro sh
10.0.1.1 via 10.0.1.4 dev eth0
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.4
10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.4
default via 10.0.1.1 dev eth0
</transcript>
Since I'm going to be introducing this bridge into a production LAN, I'd
like this to work first shot. Any pointers please.
TIA
Mohan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] Proxy-ARP
2002-11-17 14:11 [LARTC] Proxy-ARP S Mohan
@ 2002-11-18 5:49 ` Martin A. Brown
2002-11-18 7:42 ` S Mohan
1 sibling, 0 replies; 3+ messages in thread
From: Martin A. Brown @ 2002-11-18 5:49 UTC (permalink / raw)
To: lartc
Mohan,
Let me note a few things. First, you need only send a mail to the list,
not the individual subscribers.
Second,
- you are either building a bridge
OR
- you are building a routing device which will divide the network in
two with proxy ARP
If you want to use a bridge, then see the archives for how to do
traffic control with a bridge, and post specific questions. I'd also
recommend reading up on bridging:
http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/index.html
http://bridge.sourceforge.net/
If that's not what you want to do, try the proxy ARP mini-HOWTO, which
will show you how to set up routes to each side of the network, and
configure proxy ARP.
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/index.html
I've got a bit on it, as well, but you will probably find more complete
instructions elsewhere.
http://plorf.net/linux-ip/html/adv-proxy-arp.htm
Since what you have already started is a proxy ARP solution, I'll point
some problems out.
: #ip addr sh
: 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
: link/ether 00:00:21:f3:0a:4f brd ff:ff:ff:ff:ff:ff
: inet 10.0.1.4/24 brd 10.0.1.255 scope global eth0
: 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
: link/ether 00:00:21:f4:50:e7 brd ff:ff:ff:ff:ff:ff
: inet 10.0.1.4/24 brd 10.0.1.255 scope global eth1
This means that you are assigning the same IP to two different ethernet
interfaces on the same media segment. That's not strictly forbidden, but
unless you take some other steps, the machines on the ethernet will get
one MAC address for 10.0.1.4 one some ARP requests, and the other MAC
address for other requests. That's not quite deterministic, so your
networking will break.
Look into Julian's work on hidden ethernet interfaces if you really want
to do this (I don't think you do).
http://www.linuxvirtualserver.org/~julian/#hidden
: #ip ro sh
: 10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.4
: 10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.4
: default via 10.0.1.1 dev eth0
If you are intending to break the network into two pieces, you have not
done so here. You should make routes for the IPs which are reachable on
each ethernet. For example:
# ip route del 10.0.1.0/24 dev eth1
# ip route add 10.0.1.1 dev eth0
# ip route add default via 10.0.1.1
: #ip ro del 10.0.1.0/24 via 10.0.1.4 dev eth0
: RTNETLINK answers: No such process
That's because there is no such route....hence the answer is "RTNETLINK
answers: No such process" I'd suggest re-reading the iproute2 command
reference to understand the use of the keyword "via". You are not using
the right keyword, or not understanding what you are asking of the kernel,
here.
: #ip ro add 10.0.1.1/24 via 10.0.1.4 dev eth0
Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: [LARTC] Proxy-ARP
2002-11-17 14:11 [LARTC] Proxy-ARP S Mohan
2002-11-18 5:49 ` Martin A. Brown
@ 2002-11-18 7:42 ` S Mohan
1 sibling, 0 replies; 3+ messages in thread
From: S Mohan @ 2002-11-18 7:42 UTC (permalink / raw)
To: lartc
-----Original Message-----
From: Martin A. Brown
<snip>
Let me note a few things. First, you need only send a mail to the list,
not the individual subscribers.
</snip>
Eager beaver. My apologies if I transgressed.
<snip>
This means that you are assigning the same IP to two different ethernet
interfaces on the same media segment. That's not strictly forbidden, but
unless you take some other steps, the machines on the ethernet will get
one MAC address for 10.0.1.4 one some ARP requests, and the other MAC
address for other requests. That's not quite deterministic, so your
networking will break.
</snip>
True. This is my intent. My LAN will get the MAC address of eth1 for
10.0.1.4 while my router will get the MAC address of eth1 for the same IP.
This is how it is physically arranged.
<snip>
If you are intending to break the network into two pieces, you have not
done so here. You should make routes for the IPs which are reachable on
each ethernet. For example:
# ip route del 10.0.1.0/24 dev eth1
# ip route add 10.0.1.1 dev eth0
# ip route add default via 10.0.1.1
: #ip ro del 10.0.1.0/24 via 10.0.1.4 dev eth0
: RTNETLINK answers: No such process
That's because there is no such route....hence the answer is "RTNETLINK
answers: No such process" I'd suggest re-reading the iproute2 command
reference to understand the use of the keyword "via". You are not using
the right keyword, or not understanding what you are asking of the kernel,
here.
: #ip ro add 10.0.1.1/24 via 10.0.1.4 dev eth0
</snip>
I got my answer. Thanks. I guess I should have used "ip ro del 10.0.1.0/24
dev eth0". I used via as the scope link src was there. I wanted to get rid
of the generic route for 10.0.1.0/24 via eth0 and replace it with a route
for just 1 ip 10.0.1.1 (my router's ip) via eth0. Thus all packets meant for
my LAN will go thro' eth1 while those meant for the router will go thro'
eth0. I think I need to do a few more runs of the iproute2 doc to understand
syntax pretty well.
I was trying this so that I could use iptables for firewalling and
tc/cbq/htb for bandwidth shaping out of my LAN without reconfiguring and
gateway IPs on nodes. I was given to understand that a pure bridge will work
with iptables. Further reading has enlightened me on that too. Looks like
the bridging code now interfaces with iptables.
Thanks for the help.
Mohan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-11-18 7:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-17 14:11 [LARTC] Proxy-ARP S Mohan
2002-11-18 5:49 ` Martin A. Brown
2002-11-18 7:42 ` S Mohan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.