proxy arp behaviour

proxy arp behaviour

[Marco Berizzi]

Hello everybody,

I would like some info about proxy arp behaviour.
I have a firewall linux running kernel 2.4.25
with 3 NIC. Proxy arp is enabled on two of them
(eth0 and eth1).

eth1 configuration is here:

ifconfig eth1 10.77.77.1 broadcast 10.77.77.3 netmask 255.255.255.252
ip route del 10.77.77.0/30 dev eth1
ip route add 172.17.1.0/24 dev eth1

echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

Hosts connected to eth1 are all 172.17.1.0/24.
The linux box is now replying to arp requests
that are sent by 172.17.1.0/24 hosts on the eth1
network segment. Is this because ip on eth1 is
10.77.77.1?

I think that linux should not reply to arp request
for 172.17.1.0/24 because of:

ip route add 172.17.1.0/24 dev eth1

Is this a bug?

TIA

Re: proxy arp behaviour

[Richard B. Johnson]

On Thu, 25 Mar 2004, Marco Berizzi wrote:

> Hello everybody,
>
> I would like some info about proxy arp behaviour.
> I have a firewall linux running kernel 2.4.25
> with 3 NIC. Proxy arp is enabled on two of them
> (eth0 and eth1).
>
> eth1 configuration is here:
>
> ifconfig eth1 10.77.77.1 broadcast 10.77.77.3 netmask 255.255.255.252
> ip route del 10.77.77.0/30 dev eth1
> ip route add 172.17.1.0/24 dev eth1
>
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
>
> Hosts connected to eth1 are all 172.17.1.0/24.
> The linux box is now replying to arp requests
> that are sent by 172.17.1.0/24 hosts on the eth1
> network segment. Is this because ip on eth1 is
> 10.77.77.1?
>
> I think that linux should not reply to arp request
> for 172.17.1.0/24 because of:
>
> ip route add 172.17.1.0/24 dev eth1
>
> Is this a bug?

This problem comes up periodically and when it does there
results in a bunch of noise to show that "Linux works perfectly...",
but never with any resolution.

What needs to be answered by persons who know the network
code is how one "connects" a particular response to a
particular device.

This has become a FAQ and needs to have some written documentation
somewhere.

Cheers,
Dick Johnson
Penguin : Linux version 2.4.24 on an i686 machine (797.90 BogoMips).
            Note 96.31% of all statistics are fiction.

Re: proxy arp behaviour

[Chris Friesen]

Marco Berizzi wrote:

> eth1 configuration is here:
> 
> ifconfig eth1 10.77.77.1 broadcast 10.77.77.3 netmask 255.255.255.252
> ip route del 10.77.77.0/30 dev eth1
> ip route add 172.17.1.0/24 dev eth1
> 
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
> 
> Hosts connected to eth1 are all 172.17.1.0/24.
> The linux box is now replying to arp requests
> that are sent by 172.17.1.0/24 hosts on the eth1
> network segment.

Arp requests for what IP addresses?

Chris

Re: proxy arp behaviour

[Marco Berizzi]

Chris Friesen wrote:

> Marco Berizzi wrote:
> 
> > eth1 configuration is here:
> > 
> > ifconfig eth1 10.77.77.1 broadcast 10.77.77.3 netmask 255.255.255.252
> > ip route del 10.77.77.0/30 dev eth1
> > ip route add 172.17.1.0/24 dev eth1
> > 
> > echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
> > 
> > Hosts connected to eth1 are all 172.17.1.0/24.
> > The linux box is now replying to arp requests
> > that are sent by 172.17.1.0/24 hosts on the eth1
> > network segment.
> 
> Arp requests for what IP addresses?

The linux box is replying to arp requests for 172.17.1.0/24, sent
by 172.17.1.0/24 systems (windoze 2000 and Linux 2.4.25).

Re: proxy arp behaviour

[Marco Berizzi]

My apologies Chris.
I haven't full explained my configuration.
Here is:

ifconfig eth0 172.17.1.1 netmask 255.255.255.0
ifconfig eth1 10.77.77.1 netmask 255.255.255.252


ip route del 172.17.1.0/24 dev eth0
ip route del 10.77.77.0/30 dev eth1

ip route add 172.17.1.254 dev eth0
ip route add 172.17.1.0/24 dev eth1

ip rule add iif eth1 table dmz-ipsec priority 504

ip route add default via 172.17.1.254 dev eth0 table main metric 1
ip route add default via 172.17.1.254 dev eth0 table dmz-ipsec metric 1
ip route flush cache

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp


Now, hosts connected to eth1 are all 172.17.1.0/24.

The linux box is now replying to arp requests for
172.17.1.0/24 hosts, sent by 172.17.1.0/24 hosts,
on the eth1 network segment.


Chris Friesen wrote:

> Marco Berizzi wrote:
> 
> > eth1 configuration is here:
> > 
> > ifconfig eth1 10.77.77.1 broadcast 10.77.77.3 netmask 255.255.255.252
> > ip route del 10.77.77.0/30 dev eth1
> > ip route add 172.17.1.0/24 dev eth1
> > 
> > echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
> > 
> > Hosts connected to eth1 are all 172.17.1.0/24.
> > The linux box is now replying to arp requests
> > that are sent by 172.17.1.0/24 hosts on the eth1
> > network segment.
> 
> Arp requests for what IP addresses?

The linux box is replying to arp requests for 172.17.1.0/24, sent
by 172.17.1.0/24 systems (windoze 2000 and Linux 2.4.25).