Hello, i have a firewall with lots of interfaces and want to use the proxy_arp feature, but ran into problems with false arp whois replys from the firewall. What happens is that the inbound interface of the firewall answers to arp whois replys with it's own MAC even on the interface where the Machines with that IPs live. So, when the internal machines are connected to eth0 and a dumb Windows Machine boots, it first does a arp-whois on ot's own IP on the network before it starts it's NIC. The firewall now _answers_ on it's connected NIC with it's on MAC, arp-whois-reply with it's MAC. Windows is now convinced that IP is allready taken and refuses to start it's interface. I really could see that in a tcpdump. I was thinking that this shouldn't happen with the proxy-arp feature on a directly connected interface (and never had that problem with some other proxy-arped setups!), so i googled a bit and found the newish medium_id feature. I'm not quite sure if that solves my problem, but it tried it and it didn't work. More details: Every workstation in the internal network has it's own routing table on the firewall. This is because the other networks connected to the firewall use sometimes the same IP-ranges (customers using private assigned IP addresses). Each user on the internal net can now choose a new default gateway in his own routing table (via a sudo script). The firewall itself doesn't know about that, it itself shouldn't be connected to any other networks except the directly connected machines on it's interfaces. So what i do on the firewall for example: (see also chart) Workstation wants to customer connected Router1: sysctl -w net.ipv4.conf.eth0.medium_id=1 sysctl -w net.ipv4.conf.eth1.medium_id=2 sysctl -w net.ipv4.conf.eth2.medium_id=3 sysctl -w net.ipv4.conf.eth3.medium_id=4 sysctl -w net.ipv4.conf.all.proxy_arp=1 sysctl -w net.ipv4.ip_forward=1 ip route add 10.1.56.222 dev eth1 # Router1 ip route add 10.1.56.193 dev eth0 # Workstation1 # every Workstation has it's own table ip rule add from 10.1.56.193 table 193 ip route add default via 10.1.56.222 dev eth1 table 193 In my understanding the firewall should not answer to arp-whois requests for IP 10.1.56.193 on interface eth0. Or did i get it wrong? The setup does work for Linux machines, they don't get confused with the false arp-replys. Another question, where i'm in doubt, can it cause problems if i assign the same IP to all interfaces? I just did it for simplicity and it may be a real dumb idea. Uh, just for curiosity: According to IETF Standard 37 (http://www.faqs.org/rfcs/std/std37.html) only a machine who really owns the IP is allowed to answer and send a arp-whois-reply. I got some equippment (not proxy_arp related) which answers on behalf of some machine. This really sucks, since it's arp-cache timeout is >6h. Anyone heard about equippment like that? (It's a SMS-Center from Comverse, GSM-Equippment) Thanks for your patience and for your replies, Cheers, Alex. Aaahh: Using stock 2.4.20 with Netfilter patches applied. My setup: Router1 Router2 Router3 10.1.56.222/27 10.1.56.220/27 10.1.56.219/27 ... even | | | more | | | Routers... | | | ---------------------------------------------------- eth1 eth2 eth3 ... more 10.1.56.221/27 10.1.56.221/27 10.1.56.221/27 eths Firewall 10.1.56.221/27 eth0 ---------------------------------------------------- | | Rest of 10.1.56.192/27 Workstations _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
