Hello -
I am using kernel 2.4.27 and running into behavior I don't know how to explain.
I have 2 relevant interfaces. eth0 is external, eth1 is internal. My internal LAN is 10.10.10.0/24. My External range is 1.2.3.0/27 (dummied up). I have an H.323 videoconference device inside my internal LAN, but at IP Address 1.2.3.11/27. (IP Address dummied up.) I want to proxy ARP this device.
Both eth0 and eth1 on my firewall have IP Addresses 1.2.3.2/27. eth1 also has IP Address 10.10.10.1/24 and is the default gateway for all my internal hosts. The router outside my firewall is 1.2.3.1.
So the network looks like this (apologies if email butchers my ASCII art):
10.10.10.0/27 1.2.3.0/27
10.10.10.n
internal hosts
|
<----+-----+--------+ +-------+------>to the Internet
| | | |
Proxied | | |
H.323 device Firewall Router
eth1 eth0
1.2.3.11 10.10.10.1 1.2.3.2 1.2.3.1
1.2.3.2
/proc/sys/net/ipv4/conf/eth0/proxy_arp is 1.
/proc/sys/net/ipv4/conf/eth1/proxy_arp is 1.
My firewall has a route to 1.2.3.11 dev eth1.
The host at 1.2.3.11 has a default GW of 1.2.3.1.
This is where it gets weird. The H.323 device should exchange a few TCP packets with the far end and then thousands of UDP packets. And I should see this stream on the firewall watching both interfaces.
I run tcpdump in two different windows on the firewall - one for eth1, the other for eth0. When I initiate an outbound H.323 call from the device at .11, tcpdump on the firewall shows TCP packets flying on eth1, but nothing on eth0 - almost all the time. Calls don't complete most of the time, although one call kind of completed. Watching on the firewall, I saw a TCP conversation on eth1, but nothing on eth0. Very strange! One time a call completed all the way and UDP started flying - as it should. I saw a few UDP packets on eth0 and lots (thousands) of UDP packets on eth1. For the call that really completed, I would expect to see thousasnds of UDP packets on both eth0 and eth1 - but instead saw only a few on eth0.
This behavior happens even with no firewall filtering rules in place.
My NATed 10.10.10.nn internal hosts work fine - in fact, my email server posting this item to the list is one of those hosts.
The obvious question - why such an old kernel? Because it's worked for everything I need so far and every 2.6.nn I try has other bugs with one module or another.
My questions - was proxy ARP broken in the 2.4.27 days? Why doen't tcpdump show me packets on both interfaces of the firewall? Am I missing a setup ingredient someplace? Should the default GW on that H.323 device be .2 (the firewall) or .1 (the Internet router)? Does mixing NAT and proxy ARP create problems? Should I put the H.323 device in its own little DMZ?
Thanks
- Greg Scott
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
