Re: [LARTC] Proxy Arp question

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi joseph,

i took a look more closely at your schema ...


On Fri, 2003-05-02 at 06:18, Joseph Watson wrote:
> Hello,
> 
> I have been digging around for a while trying to get a good understanding of 
> how to configure linux to do proxy arp.  I understand the conncept well 
> (there is lots of info on this), but am struggling to get a clear 
> understanding of implimenting it on linux. 
> 
> First question:
> Is the following possible, or does the firewall have to have a address on 
> 192.168.1.0/24 network??  My thought was I could add a route on eth0 to the 
> 192.168.1.0/24 network, and a route on eth1 to the host 192.168.1.2 and then 
> turn on proxy arp.
> 
>     192.168.1.0/24
>               |
>    eth0: 192.168.2.1
>         Firewall
>    eth1: 192.168.3.1
>               |
>       192.168.1.2

i'm having a bit of trouble understanding exactly what you're trying to
achieve here.

a host's gateway needs to be on the same same subnet, therefore your
schema should read

       192.168.1.2-254/24 <- (hosts 2 thru 254)
               |
    eth0: 192.168.1.1/24
         Firewall
    eth1: 192.168.3.1/24
               |
       192.168.3.2-254/24 <- (hosts 2 thru 254)

unless you have your doing something special where host 192.168.1.2
(from your diagram) is "logically" on the 192.168.1.0/24 subnet although
it is not "physically." Is this the case (tunelling/vpn)?

if your setup is indeed as i have indicated, then you can set firewall
rules, allowing a host(s) on the 192.168.3.0/24 subnet to host(s) and
service(s) on the 192.168.1.0/24 subnet without issue.


> Second question:
> I have been using Shorewall as a firewall, and it comes with proxyarp 
> capability.  Here is the working configuration of my firewall using proxy 
> arp:
> 
>     192.168.1.0/24
>               |
>    eth0: 192.168.1.1
>         Firewall
>    eth1: 192.168.3.1
>               |
>       192.168.1.2
> 
> There are the following routes:
>  192.168.1.2 dev eth1  scope link
>  192.168.1.0/24 dev eth0  scope link
> 
> This makes sence.  Where I am confused is when I check the proxy_arp settings:
> 
> []# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
> 0
> []# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
> 1
> []#
> 
> Why is proxy_arp not turned on for eth0??  Every howto I can find says to turn 
> on proxy_arp for both interfaces.  
 
192.168.1.0/24 dev eth0  scope link
192.168.3.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link

your routing table is missing localhost, or did you <snip> it? check.

cheers

christopher cuse
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux