From: christopher cuse <ccuse@tiscali.fr>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Proxy Arp question
Date: Sat, 03 May 2003 07:35:36 +0000 [thread overview]
Message-ID: <marc-lartc-105194711216189@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105184920302860@msgid-missing>
hi joseph,
i took a look more closely at your schema ...
On Fri, 2003-05-02 at 06:18, Joseph Watson wrote:
> Hello,
>
> I have been digging around for a while trying to get a good understanding of
> how to configure linux to do proxy arp. I understand the conncept well
> (there is lots of info on this), but am struggling to get a clear
> understanding of implimenting it on linux.
>
> First question:
> Is the following possible, or does the firewall have to have a address on
> 192.168.1.0/24 network?? My thought was I could add a route on eth0 to the
> 192.168.1.0/24 network, and a route on eth1 to the host 192.168.1.2 and then
> turn on proxy arp.
>
> 192.168.1.0/24
> |
> eth0: 192.168.2.1
> Firewall
> eth1: 192.168.3.1
> |
> 192.168.1.2
i'm having a bit of trouble understanding exactly what you're trying to
achieve here.
a host's gateway needs to be on the same same subnet, therefore your
schema should read
192.168.1.2-254/24 <- (hosts 2 thru 254)
|
eth0: 192.168.1.1/24
Firewall
eth1: 192.168.3.1/24
|
192.168.3.2-254/24 <- (hosts 2 thru 254)
unless you have your doing something special where host 192.168.1.2
(from your diagram) is "logically" on the 192.168.1.0/24 subnet although
it is not "physically." Is this the case (tunelling/vpn)?
if your setup is indeed as i have indicated, then you can set firewall
rules, allowing a host(s) on the 192.168.3.0/24 subnet to host(s) and
service(s) on the 192.168.1.0/24 subnet without issue.
> Second question:
> I have been using Shorewall as a firewall, and it comes with proxyarp
> capability. Here is the working configuration of my firewall using proxy
> arp:
>
> 192.168.1.0/24
> |
> eth0: 192.168.1.1
> Firewall
> eth1: 192.168.3.1
> |
> 192.168.1.2
>
> There are the following routes:
> 192.168.1.2 dev eth1 scope link
> 192.168.1.0/24 dev eth0 scope link
>
> This makes sence. Where I am confused is when I check the proxy_arp settings:
>
> []# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
> 0
> []# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
> 1
> []#
>
> Why is proxy_arp not turned on for eth0?? Every howto I can find says to turn
> on proxy_arp for both interfaces.
192.168.1.0/24 dev eth0 scope link
192.168.3.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link
your routing table is missing localhost, or did you <snip> it? check.
cheers
christopher cuse
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2003-05-03 7:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-02 4:18 [LARTC] Proxy Arp question Joseph Watson
2003-05-02 7:31 ` christopher cuse
2003-05-03 5:02 ` Joseph Watson
2003-05-03 7:35 ` christopher cuse [this message]
2003-05-03 15:27 ` Joseph Watson
2003-05-04 18:53 ` Don Cohen
2003-05-04 19:41 ` christopher cuse
2003-05-04 20:56 ` Martin A. Brown
2003-05-04 22:53 ` Joseph Watson
2003-05-04 23:15 ` Martin A. Brown
2003-05-06 0:15 ` Joseph Watson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-105194711216189@msgid-missing \
--to=ccuse@tiscali.fr \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.