--dc+cDN39EJAMEtIO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Feb 13, 2002 at 10:35:15AM -0500, Adrian Chung wrote: > Hey everyone! I came across this link today: > > http://www.sjdjweis.com/linux/proxyarp/ > > Which I thought was very interesting. But I don't quite understand > how, or what effect assigning the same IP address to both the left and > right side interfaces of the pseudo-bridge has. > > In the article, the author describes a mechanism for being able to > shape/filter traffic to an entire ISP assigned subnet. > > Basically, use proxy arp, assign the same ISP IP to both interfaces on > the router, and use iproute2 to create routes to the router on one > interface, and the rest of the network on the other. It does not matter which ip addresses you asign to which interfaces. You can also assing the official ip to lo. > It's almost identical to the Proxy-Arp/Pseudo Bridge part of the LARTC > HOWTO. > > Except that I'm confused as to how the kernel deals with the fact that > both interfaces have the same IP address. The kernel sees one IP address, and two nics, with each having some part of a network directly attached to it. > I guess logically it doesn't matter to the kernel, because the routes > clearly delineate which interface to send packets to, proxy-arp > connects the two LANs, and both interfaces have different MAC > addresses. Yep. > It just seems wrong. :) Nope. If you think about it: it is CLEAN! I've attached an e-mail which should give some more examples, and a copy of the mail I send to the maintainer of that site. (Eh, the update to the last mail: I tested it, and it works.) Some advice, eh to everybody: Really forget about route and ifconfig, try to switch to the iproute utility... -- <ard@telegraafnet.nl> Telegraaf Elektronische Media http://wwwijzer.nl http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html Let your government know you value your freedom. Sign the petition: http://petition.eurolinux.org/ --dc+cDN39EJAMEtIO Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <vlan-admin@Scry.WANfear.com> Received: from server0.telegraafnet.nl (server0.telegraafnet.nl [192.168.1.1]) by server9.telegraafnet.nl (8.11.1/8.11.1/Debian 8.11.0-6) with ESMTP id g0B1Fmh05964 for <ard@telegraafnet.nl>; Fri, 11 Jan 2002 02:15:48 +0100 Received: from vortex.telegraafnet.nl (vortex.telegraafnet.nl [195.64.78.43]) by server0.telegraafnet.nl (8.9.3/8.9.3) with ESMTP id CAA03989 for <ard@telegraafnet.nl>; Fri, 11 Jan 2002 02:15:47 +0100 Received: from ns1.wanfear.com (IDENT:root@ns1.wanfear.com [207.212.57.1]) by mail.telegraafnet.nl (8.11.3/8.11.3/Debian 8.11.2-1) with ESMTP id g0B1Fki13010 for <ard@telegraafnet.nl>; Fri, 11 Jan 2002 02:15:46 +0100 Received: from ns1.wanfear.com (IDENT:mailman@localhost [127.0.0.1]) by ns1.wanfear.com (8.9.1/8.9.1) with ESMTP id MAA12754; Thu, 10 Jan 2002 12:45:31 -0800 Received: from server0.telegraafnet.nl (firewall.telegraafnet.nl [195.64.78.58]) by ns1.wanfear.com (8.9.1/8.9.1) with ESMTP id MAA11882 for <vlan@Scry.WANfear.com>; Thu, 10 Jan 2002 12:35:00 -0800 Received: from server9.telegraafnet.nl (server9.telegraafnet.nl [192.168.1.9]) by server0.telegraafnet.nl (8.9.3/8.9.3) with ESMTP id UAA32357 for <vlan@Scry.WANfear.com>; Thu, 10 Jan 2002 20:29:04 +0100 Received: (from ard@localhost) by server9.telegraafnet.nl (8.11.1/8.11.1/Debian 8.11.0-6) id g0AJSWg26454 for vlan@Scry.WANfear.com; Thu, 10 Jan 2002 20:28:32 +0100 From: Ard van Breemen <ard@telegraafnet.nl> To: vlan@Scry.WANfear.com Subject: Re: [VLAN] same ip in all vlan interfaces possible? Message-ID: <20020110192832.GI25507@telegraafnet.nl> References: <15421.44456.756906.695146@hoggar.fisica.ufpr.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <15421.44456.756906.695146@hoggar.fisica.ufpr.br> User-Agent: Mutt/1.3.24i Sender: vlan-admin@Scry.WANfear.com Errors-To: vlan-admin@Scry.WANfear.com X-BeenThere: vlan@Scry.WANfear.com X-Mailman-Version: 2.0.6 Precedence: bulk Reply-To: vlan@Scry.WANfear.com List-Help: <mailto:vlan-request@Scry.WANfear.com?subject=help> List-Post: <mailto:vlan@Scry.WANfear.com> List-Subscribe: <http://www.WANfear.com/mailman/listinfo/vlan>, <mailto:vlan-request@Scry.WANfear.com?subject=subscribe> List-Id: Discussion group for 802.1Q VLAN project for Linux. <vlan.Scry.WANfear.com> List-Unsubscribe: <http://www.WANfear.com/mailman/listinfo/vlan>, <mailto:vlan-request@Scry.WANfear.com?subject=unsubscribe> List-Archive: <http://www.WANfear.com/pipermail/vlan/> Date: Thu, 10 Jan 2002 20:28:32 +0100 On Thu, Jan 10, 2002 at 01:05:12PM -0200, Carlos Carvalho wrote: > I'm about to try ethernet tags for the first time. I need to use the > same ip in all vlan interfaces. Is this possible? > > I can't put each vlan in a different IP subnet because there will be > tens of them. I am not sure of what you are trying to do, but this is possible: Give all the networks the idea of a virtual 192.168.0.0/16 f.i. . You can divide your network in c classes by f.i.: vconfig add eth0 2 ip addr add 127.0.0.1/8 dev vlan2 ip route add 192.168.2.0/24 dev vlan2 echo 1 > /proc/sys/net/ipv4/conf/vlan2/proxy_arp vconfig add eth0 3 ip addr add 127.0.0.1/8 dev vlan3 ip route add 192.168.3.0/24 dev vlan3 echo 1 > /proc/sys/net/ipv4/conf/vlan2/proxy_arp vconfig add eth0 4 ip addr add 127.0.0.1/8 dev vlan4 ip route add 192.168.4.0/24 dev vlan4 echo 1 > /proc/sys/net/ipv4/conf/vlan2/proxy_arp vconfig add eth0 5 ip addr add 127.0.0.1/8 dev vlan5 ip route add 192.168.5.0/24 dev vlan5 echo 1 > /proc/sys/net/ipv4/conf/vlan2/proxy_arp ip addr add 192.168.0.1/32 dev lo echo 1 > /proc/sys/net/ipv4/ip_forward If 192.168.5.2 tries to ping 192.168.3.9, it will arp for it, since it thinks it is in the same subnet (/16). Your box knows how to route it, and therefore will reply to the arp. 192.168.5.2 will then send the packet to your box, which will happily forward it. The default gw in this example is 192.168.0.1, put on lo. You need to have at least 1 ip address on a device to get the ip stack bound to that device. If you don't have an ip address on a device (no matter what ip address), you will not be able to use the kernel-ip stack on that device. Not binding the kernel ip-stack to the device is a good idea if you want to do some network sniffing for intrusion detection etc... (Thanks to Pauline Middelink for pointing me at the proxy_arp idea) DISCLAIMER: I already tested the concept using 127.0.0.1 addresses and proxy-arp in a sort of production environment. I did not test the example above :) -- <ard@telegraafnet.nl> Telegraaf Elektronische Media http://wwwijzer.nl http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html Let your government know you value your freedom. Sign the petition: http://petition.eurolinux.org/ _______________________________________________ VLAN mailing list - VLAN@Scry.WANfear.com http://www.WANfear.com/mailman/listinfo/vlan VLAN Page: http://scry.wanfear.com/~greear/vlan.html --dc+cDN39EJAMEtIO Content-Type: message/rfc822 Content-Disposition: inline Date: Tue, 11 Dec 2001 20:19:31 +0100 To: djweis@sjdjweis.com Subject: Proxy ARP with Linux (minor correction) Message-ID: <20011211201931.R25836@telegraafnet.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In http://www.sjdjweis.com/linux/proxyarp/index.html You say: You will need a 2.4 series kernel, the iproute2 utility, and a recent iptables userspace program. Allright, then these are my comments :) : Everything except for the iptables already work on a 2.2 kernel, there is nothing new there. Yes, I already used proxy-arp on a 2.2 kernel. Hmmm, ok, you are right that in this case you definitely need the connection tracking to prevent from unwanted garbage from entering your network, which is not the case in the classical (masquerading) firewalling approach. But that is the "only" reason to have 2.4... Another thing I am now busy to find out (I am not sure if this also works on 2.2, but I have no reason to believe it does not work): ip link set up dev eth0 ip addr add 127.0.0.1/32 dev eth0 echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp ip link set up dev eth1 ip addr add 127.0.0.1/32 dev eth1 echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp ip route add x.x.x.96/28 dev eth0 ip route add x.x.x.97/32 dev eth1 The theory behind it: the IP protocol driver needs to be bound to the device. This is done by giving any (bogus) ip address to an interface. Only after the IP protocol driver is bound to the interface you can use it for IP. /proc/sys/net/ipv4/conf will only show interfaces bound to the IP protocol... :) Of course: you cannot reach the firewall, and the firewall can't reach you. You need a non-bogus ip address for that... (Hmmmm: ssh 127.0.0.1 ... Hah! I hacked the firewall.... shutdown -h now ... Uh? ;) ) -- <ard@telegraafnet.nl> Telegraaf Elektronische Media http://wwwijzer.nl http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html Let your government know you value your freedom. Sign the petition: http://petition.eurolinux.org/ --dc+cDN39EJAMEtIO--
