proxy_arp

proxy_arp

[richard lucassen]

Hello list,

I have two identical Linux servers, two identical vanilla kernels
(3.2.57). I start an arping on srv1 to the *external* ip of srv2 using
the *internal* rfc1918 addressed NIC (eth2)

           +------+                        +------+
eth0       |      |  eth2            eth2  |      |  eth0
ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
outside    |      |  inside        inside  |      |  outside
           +------+                        +------+

    arping using eth1 ^^  --via-> eth2 ^^ to this ip --^^^

root@srv1# arping -I eth1 ip2a
ARPING 213.34.90.190 from 172.31.255.249 eth2
Unicast reply from 213.34.90.190 [00:15:17:F4:41:46]  0.891ms
Unicast reply from 213.34.90.190 [00:15:17:F4:41:46]  0.799ms
^CSent 2 probes (1 broadcast(s))
Received 2 response(s)

No problem, it works as expected. The other way round however:

           +------+                        +------+
eth0       |      |  eth2            eth2  |      |  eth0
ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
outside    |      |  inside        inside  |      |  outside
           +------+                        +------+

 ^^--<- arping to this ip <--via--- ^^ using eth2

root@srv2# arping -I eth2 213.34.90.130
ARPING 213.34.90.130 from 172.31.255.250 eth2
^CSent 15 probes (15 broadcast(s))
Received 0 response(s)

srv1 does NOT reply to arp requests, even if I add an:

"arp -sD eth1 ip1a" (which is not necessary)

I compared all sysctl settings, they are equal. ip_forward is set to 1
on both machines. The srv1 has a large iptables rulebase, the srv2 just
some simple rules. A tcpdump shows that srv1 receives the arp requests
but is not willing to honour the arp requests of srv2.

The goal is proxy_arping (which unexpectedly did not work), and I
found out that the machine srv1 even does not reply to arp requests of
its own ip addresses.

Any thoughts or hints on this matter?

R.

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
+------------------------------------------------------------------+

Re: proxy_arp

[fnavarro]

hi Richard,

> Hello list,
>
> I have two identical Linux servers, two identical vanilla kernels
> (3.2.57). I start an arping on srv1 to the *external* ip of srv2 using
> the *internal* rfc1918 addressed NIC (eth2)
>
>            +------+                        +------+
> eth0       |      |  eth2            eth2  |      |  eth0
> ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
> outside    |      |  inside        inside  |      |  outside
>            +------+                        +------+
>
>     arping using eth1 ^^  --via-> eth2 ^^ to this ip --^^^
>
> root@srv1# arping -I eth1 ip2a
> ARPING 213.34.90.190 from 172.31.255.249 eth2
> Unicast reply from 213.34.90.190 [00:15:17:F4:41:46]  0.891ms
> Unicast reply from 213.34.90.190 [00:15:17:F4:41:46]  0.799ms
> ^CSent 2 probes (1 broadcast(s))
> Received 2 response(s)
>
> No problem, it works as expected. The other way round however:
>
>            +------+                        +------+
> eth0       |      |  eth2            eth2  |      |  eth0
> ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
> outside    |      |  inside        inside  |      |  outside
>            +------+                        +------+
>
>  ^^--<- arping to this ip <--via--- ^^ using eth2
>
> root@srv2# arping -I eth2 213.34.90.130
> ARPING 213.34.90.130 from 172.31.255.250 eth2
> ^CSent 15 probes (15 broadcast(s))
> Received 0 response(s)
>
> srv1 does NOT reply to arp requests, even if I add an:
>
> "arp -sD eth1 ip1a" (which is not necessary)
>
> I compared all sysctl settings, they are equal. ip_forward is set to 1
> on both machines. The srv1 has a large iptables rulebase, the srv2 just
> some simple rules. A tcpdump shows that srv1 receives the arp requests
> but is not willing to honour the arp requests of srv2.
>
> The goal is proxy_arping (which unexpectedly did not work), and I
> found out that the machine srv1 even does not reply to arp requests of
> its own ip addresses.

in my opinion, this a strange scenario for proxy arp -see Comer's
Internetworking book-. Do not you think srv2 is forwarding your traffic to
its eth0 interface -i.e. the one owning ip2o address-?

regards,

francisco javier

> Any thoughts or hints on this matter?
>
> R.
>
> --
> ___________________________________________________________________
> It is better to remain silent and be thought a fool, than to speak
> aloud and remove all doubt.
>
> +------------------------------------------------------------------+
> | Richard Lucassen, Utrecht                                        |
> +------------------------------------------------------------------+
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: proxy_arp

[Vigneswaran R]

On 04/25/2014 11:05 PM, richard lucassen wrote:
> Hello list,
>
> I have two identical Linux servers, two identical vanilla kernels
> (3.2.57). I start an arping on srv1 to the *external* ip of srv2 using
> the *internal* rfc1918 addressed NIC (eth2)
>
>             +------+                        +------+
> eth0       |      |  eth2            eth2  |      |  eth0
> ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
> outside    |      |  inside        inside  |      |  outside
>             +------+                        +------+
>
>      arping using eth1 ^^  --via-> eth2 ^^ to this ip --^^^
>
> root@srv1# arping -I eth1 ip2a
> ARPING 213.34.90.190 from 172.31.255.249 eth2
> Unicast reply from 213.34.90.190 [00:15:17:F4:41:46]  0.891ms
> Unicast reply from 213.34.90.190 [00:15:17:F4:41:46]  0.799ms
> ^CSent 2 probes (1 broadcast(s))
> Received 2 response(s)
>
> No problem, it works as expected. The other way round however:
>
>             +------+                        +------+
> eth0       |      |  eth2            eth2  |      |  eth0
> ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
> outside    |      |  inside        inside  |      |  outside
>             +------+                        +------+
>
>   ^^--<- arping to this ip <--via--- ^^ using eth2
>
> root@srv2# arping -I eth2 213.34.90.130
> ARPING 213.34.90.130 from 172.31.255.250 eth2
> ^CSent 15 probes (15 broadcast(s))
> Received 0 response(s)
>
> srv1 does NOT reply to arp requests, even if I add an:
>
> "arp -sD eth1 ip1a" (which is not necessary)
>
> I compared all sysctl settings, they are equal. ip_forward is set to 1
> on both machines. The srv1 has a large iptables rulebase, the srv2 just
> some simple rules. A tcpdump shows that srv1 receives the arp requests
> but is not willing to honour the arp requests of srv2.

It seems, iptable rules will not affect the ARP. By any chance you have 
arptables or ebtables installed on srv1 which is causing the problem?

http://www.linuxcommand.org/man_pages/arptables8.html
http://ebtables.sourceforge.net/examples/basic.html#ex_config


Regards,
Vignesh
>
> The goal is proxy_arping (which unexpectedly did not work), and I
> found out that the machine srv1 even does not reply to arp requests of
> its own ip addresses.
>
> Any thoughts or hints on this matter?
>
> R.
>

Re: proxy_arp

[Vigneswaran R]

On 04/28/2014 10:34 PM, richard lucassen wrote:
> On Mon, 28 Apr 2014 09:23:31 +0530
> Vigneswaran R <vignesh@atc.tcs.com> wrote:
>
>> It seems, iptable rules will not affect the ARP.
> No, it should not :)
>
>> By any chance you
>> have arptables or ebtables installed on srv1 which is causing the
>> problem?
> Nope:
>
> # ebtables -L
> Bridge table: filter
>
> Bridge chain: INPUT, entries: 0, policy: ACCEPT
>
> Bridge chain: FORWARD, entries: 0, policy: ACCEPT
>
> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
>
> # arptables -L
> Chain INPUT (policy ACCEPT)
>
> Chain OUTPUT (policy ACCEPT)
>
> Chain FORWARD (policy ACCEPT)
>
> I just don't understand why srv1 is not arp-replying to the ip
> addresses it owns...

Did you check the rp_filter also? Try disabling the rp_filter on srv1 
(if it is not disabled already) and check.
(Just in case the source IP of the arp request and the incoming 
Interface are not matching according to the routing table entries).

echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter

regards,
Vignesh

Re: proxy_arp [resolved]

[richard lucassen]

On Tue, 29 Apr 2014 08:43:08 +0530
Vigneswaran R <vignesh@atc.tcs.com> wrote:

> > I just don't understand why srv1 is not arp-replying to the ip
> > addresses it owns...
> 
> Did you check the rp_filter also? Try disabling the rp_filter on srv1 
> (if it is not disabled already) and check.
> (Just in case the source IP of the arp request and the incoming 
> Interface are not matching according to the routing table entries).
> 
> echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter

No, but echoing "2" (relaxed) did the job. Thnx! AFAIK this is still a
bug: the 0 does not work anymore, 0 or 1, it's equal. I reported this a
few years ago, but the error still remains.

R.

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
+------------------------------------------------------------------+

Re: proxy_arp [resolved]

[Vigneswaran R]

On 04/29/2014 04:43 PM, richard lucassen wrote:
> On Tue, 29 Apr 2014 08:43:08 +0530
> Vigneswaran R <vignesh@atc.tcs.com> wrote:
>
>>> I just don't understand why srv1 is not arp-replying to the ip
>>> addresses it owns...
>> Did you check the rp_filter also? Try disabling the rp_filter on srv1
>> (if it is not disabled already) and check.
>> (Just in case the source IP of the arp request and the incoming
>> Interface are not matching according to the routing table entries).
>>
>> echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter
> No, but echoing "2" (relaxed) did the job. Thnx! AFAIK this is still a
> bug: the 0 does not work anymore, 0 or 1, it's equal. I reported this a
> few years ago, but the error still remains.

Ok.

Regards,
Vignesh