* proxy_arp
@ 2014-04-25 17:35 richard lucassen
2014-04-28 3:53 ` proxy_arp Vigneswaran R
0 siblings, 1 reply; 6+ messages in thread
From: richard lucassen @ 2014-04-25 17:35 UTC (permalink / raw)
To: netfilter
Hello list,
I have two identical Linux servers, two identical vanilla kernels
(3.2.57). I start an arping on srv1 to the *external* ip of srv2 using
the *internal* rfc1918 addressed NIC (eth2)
+------+ +------+
eth0 | | eth2 eth2 | | eth0
ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
outside | | inside inside | | outside
+------+ +------+
arping using eth1 ^^ --via-> eth2 ^^ to this ip --^^^
root@srv1# arping -I eth1 ip2a
ARPING 213.34.90.190 from 172.31.255.249 eth2
Unicast reply from 213.34.90.190 [00:15:17:F4:41:46] 0.891ms
Unicast reply from 213.34.90.190 [00:15:17:F4:41:46] 0.799ms
^CSent 2 probes (1 broadcast(s))
Received 2 response(s)
No problem, it works as expected. The other way round however:
+------+ +------+
eth0 | | eth2 eth2 | | eth0
ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
outside | | inside inside | | outside
+------+ +------+
^^--<- arping to this ip <--via--- ^^ using eth2
root@srv2# arping -I eth2 213.34.90.130
ARPING 213.34.90.130 from 172.31.255.250 eth2
^CSent 15 probes (15 broadcast(s))
Received 0 response(s)
srv1 does NOT reply to arp requests, even if I add an:
"arp -sD eth1 ip1a" (which is not necessary)
I compared all sysctl settings, they are equal. ip_forward is set to 1
on both machines. The srv1 has a large iptables rulebase, the srv2 just
some simple rules. A tcpdump shows that srv1 receives the arp requests
but is not willing to honour the arp requests of srv2.
The goal is proxy_arping (which unexpectedly did not work), and I
found out that the machine srv1 even does not reply to arp requests of
its own ip addresses.
Any thoughts or hints on this matter?
R.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
+------------------------------------------------------------------+
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: proxy_arp
2014-04-25 17:35 proxy_arp richard lucassen
@ 2014-04-28 3:53 ` Vigneswaran R
[not found] ` <20140428190404.2786b822002cc5ad8f001ff7@lucassen.org>
0 siblings, 1 reply; 6+ messages in thread
From: Vigneswaran R @ 2014-04-28 3:53 UTC (permalink / raw)
To: netfilter; +Cc: richard lucassen
On 04/25/2014 11:05 PM, richard lucassen wrote:
> Hello list,
>
> I have two identical Linux servers, two identical vanilla kernels
> (3.2.57). I start an arping on srv1 to the *external* ip of srv2 using
> the *internal* rfc1918 addressed NIC (eth2)
>
> +------+ +------+
> eth0 | | eth2 eth2 | | eth0
> ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
> outside | | inside inside | | outside
> +------+ +------+
>
> arping using eth1 ^^ --via-> eth2 ^^ to this ip --^^^
>
> root@srv1# arping -I eth1 ip2a
> ARPING 213.34.90.190 from 172.31.255.249 eth2
> Unicast reply from 213.34.90.190 [00:15:17:F4:41:46] 0.891ms
> Unicast reply from 213.34.90.190 [00:15:17:F4:41:46] 0.799ms
> ^CSent 2 probes (1 broadcast(s))
> Received 2 response(s)
>
> No problem, it works as expected. The other way round however:
>
> +------+ +------+
> eth0 | | eth2 eth2 | | eth0
> ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
> outside | | inside inside | | outside
> +------+ +------+
>
> ^^--<- arping to this ip <--via--- ^^ using eth2
>
> root@srv2# arping -I eth2 213.34.90.130
> ARPING 213.34.90.130 from 172.31.255.250 eth2
> ^CSent 15 probes (15 broadcast(s))
> Received 0 response(s)
>
> srv1 does NOT reply to arp requests, even if I add an:
>
> "arp -sD eth1 ip1a" (which is not necessary)
>
> I compared all sysctl settings, they are equal. ip_forward is set to 1
> on both machines. The srv1 has a large iptables rulebase, the srv2 just
> some simple rules. A tcpdump shows that srv1 receives the arp requests
> but is not willing to honour the arp requests of srv2.
It seems, iptable rules will not affect the ARP. By any chance you have
arptables or ebtables installed on srv1 which is causing the problem?
http://www.linuxcommand.org/man_pages/arptables8.html
http://ebtables.sourceforge.net/examples/basic.html#ex_config
Regards,
Vignesh
>
> The goal is proxy_arping (which unexpectedly did not work), and I
> found out that the machine srv1 even does not reply to arp requests of
> its own ip addresses.
>
> Any thoughts or hints on this matter?
>
> R.
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: proxy_arp
@ 2014-04-27 5:43 fnavarro
0 siblings, 0 replies; 6+ messages in thread
From: fnavarro @ 2014-04-27 5:43 UTC (permalink / raw)
To: netfilter; +Cc: mailinglists
hi Richard,
> Hello list,
>
> I have two identical Linux servers, two identical vanilla kernels
> (3.2.57). I start an arping on srv1 to the *external* ip of srv2 using
> the *internal* rfc1918 addressed NIC (eth2)
>
> +------+ +------+
> eth0 | | eth2 eth2 | | eth0
> ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
> outside | | inside inside | | outside
> +------+ +------+
>
> arping using eth1 ^^ --via-> eth2 ^^ to this ip --^^^
>
> root@srv1# arping -I eth1 ip2a
> ARPING 213.34.90.190 from 172.31.255.249 eth2
> Unicast reply from 213.34.90.190 [00:15:17:F4:41:46] 0.891ms
> Unicast reply from 213.34.90.190 [00:15:17:F4:41:46] 0.799ms
> ^CSent 2 probes (1 broadcast(s))
> Received 2 response(s)
>
> No problem, it works as expected. The other way round however:
>
> +------+ +------+
> eth0 | | eth2 eth2 | | eth0
> ip1a-------+ srv1 +--ip1b--<------>--ip2b--+ srv2 +--ip2a
> outside | | inside inside | | outside
> +------+ +------+
>
> ^^--<- arping to this ip <--via--- ^^ using eth2
>
> root@srv2# arping -I eth2 213.34.90.130
> ARPING 213.34.90.130 from 172.31.255.250 eth2
> ^CSent 15 probes (15 broadcast(s))
> Received 0 response(s)
>
> srv1 does NOT reply to arp requests, even if I add an:
>
> "arp -sD eth1 ip1a" (which is not necessary)
>
> I compared all sysctl settings, they are equal. ip_forward is set to 1
> on both machines. The srv1 has a large iptables rulebase, the srv2 just
> some simple rules. A tcpdump shows that srv1 receives the arp requests
> but is not willing to honour the arp requests of srv2.
>
> The goal is proxy_arping (which unexpectedly did not work), and I
> found out that the machine srv1 even does not reply to arp requests of
> its own ip addresses.
in my opinion, this a strange scenario for proxy arp -see Comer's
Internetworking book-. Do not you think srv2 is forwarding your traffic to
its eth0 interface -i.e. the one owning ip2o address-?
regards,
francisco javier
> Any thoughts or hints on this matter?
>
> R.
>
> --
> ___________________________________________________________________
> It is better to remain silent and be thought a fool, than to speak
> aloud and remove all doubt.
>
> +------------------------------------------------------------------+
> | Richard Lucassen, Utrecht |
> +------------------------------------------------------------------+
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-04-29 11:19 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-25 17:35 proxy_arp richard lucassen
2014-04-28 3:53 ` proxy_arp Vigneswaran R
[not found] ` <20140428190404.2786b822002cc5ad8f001ff7@lucassen.org>
2014-04-29 3:13 ` proxy_arp Vigneswaran R
2014-04-29 11:13 ` proxy_arp [resolved] richard lucassen
2014-04-29 11:19 ` Vigneswaran R
-- strict thread matches above, loose matches on Subject: below --
2014-04-27 5:43 proxy_arp fnavarro
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).