On 5/30/2007 6:46 PM, Greg Scott wrote:
Here is the problem. Behind the firewall is a Coyote Point Equalizer
at 1.2.3.10, with a high-volume website behind it spread across
several servers. Every time I put this proxy ARP firewall in place,
that nasty Coyote Point box dies and this breaks the high volume
website behind it and makes lots of people mad. I've never seen a
Coyote Point Equalizer but I have a hunch it might not get along well
with a proxy ARP device in its same network.
Hrm...
Proxy ARP really means proxy ARP - that firewall answers ARP requests
for anything and everything it sees, for any network. This also has
consequences for new devices that try to be polite when they set IP
Addresses for themselves by ARPing to see if anyone else answers at
that address. Is there a way to limit proxy ARP to a list of IP
Addresses?
This will be Proxy ARP implementation specific. I have no idea whether
or not Linux can be configured to behave as you are asking or not.
Or - should I forget proxy ARP and look at bridging instead?
Having just (briefly) brushed up on Proxy ARPing, I can see how it would
be a problem for a load balancer. Most load balancers work on a couple
of different levels, either IP <-> MAC spoofing, or NATing. The former
method is probably what is happening and thus having a problem with your
Proxy ARP router / firewall.
Consider if you will a host out side of the Proxy ARP router / firewall
trying to connect to an IP address that is both behind the Proxy ARP
router / firewall AND the load balancer. If the load balancer changes
the MAC address that the IP address belongs to, the Proxy ARP router /
firewall will inevitably end up pointing to the wrong internal MAC. How
will the load balancer handle the traffic when it does not start flowing
to the alternative MAC like it wants? I can not say. But, I do see a
very big potential for a conflict. In said conflict, I can not say any
thing to how any of the equipment will fail. Thus, you could end up in
the scenario you are in now.
I can't say for sure as to whether or not you should forget about proxy
ARP or not, but I can say for sure that bridging will do what you are
wanting to do very well.
Bridging will pass the ARP requests in directly to the load balancer
like it is expecting so that it can control things the way that it wants
to. This means that when the load balancer alters the IP <-> MAC
mapping, the upstream device on the other side of the bridge will see
the changed MAC address.
I think I would go the bridging route.
Can I do bridging and still access the bridged interfaces remotely?
Most definitely! Put your IP address on the bridge interface.
I.e. eth0 and eth1 are bridged together by br0.
ifconfig br0 1.2.3.2 netmask 255.255.255.0
You will be able to access 1.2.3.2 from either side of the bridge. That
is presuming that you do not use EBTables / IPTables to filter the
bridged traffic. In other words, so long as you are not doing any layer
2 filtering yes.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
