Hello -
I have a situation with Sonicwall VPN device behind a Linux
firewall/router, like this:
LAN Sonicwall Linux
192.168.3.nn VPN Firewall
--------------+-----------+----------+-----------+-----Internet
LAN NIC WAN NIC em3 em1 1.2.3.48/28
192.168.3.95 1.2.3.51 192.168.3.5 1.2.3.50 Gateway 1.2.3.49
Hopefully my crude ASCII art above stays intact.
The Sonicwall has a WAN NIC and LAN NIC. Both are connected behind my
firewall on the LAN side so I can monitor all the traffic. I used
bridging on the firewall to fool the Sonicwall into believing it was
directly connected to the Internet and this worked up until the most
recent Fedora upgrade. With the latest kernel, bridging now breaks other
things I need and it's been suggested I try proxy ARP instead.
So I did.
On the firewall, I do:
ip neigh add proxy 1.2.3.51 dev em1
ip route add 1.2.3.51/32 dev em3
The idea is, I will answer ARP requests in proxy if anyone on the
Internet side asks about the MAC Address for that Sonicwall. And then I
should forward to the Sonicwall because I have a route that says to do
so.
>From everything I can find, this is all I should need - it should just
somehow work after this. But it doesn't. When the Sonicwall tries to
ping the gateway at 1.2.3.49, it times out. Watching with tcpdump on my
firewall, I see the echo request come in on em3 and then it dies.
So I set the Sonicwall to use me as its gateway instead of the router at
1.2.3.49, and for a few seconds, it all worked as expected. Then
everything went silent again. A few hours later, I rebooted the
Sonicwall and all worked again for a few seconds and then died again.
Go figure.
But now, watching with tcpdump, I see the echo request come in on em3
and out on em1. So far so good. The echo reply comes back in on em1
but then dies. I never forward the reply back out em3.
I can drop all firewall rules and it still behaves this way, so it's not
like I have some rule blocking it.
Finally, in an act of desperation, I did:
ip addr add 1.2.3.56/28 dev em3
on the firewall and suddenly everything came alive. Packets flew up and
down those VPN tunnels lightening fast and everyone can see everyone
again. Apparently, I need an IP Address in the same subnet as the
Sonicwall on the LAN side so I can forward packets to it.
So right now my firewall looks like this:
LAN Internet
em3 em1
192.168.3.5 1.2.3.50/28
1.2.3.56/28 (and a bunch of others for NAT)
My question - am I playing with fire here? What's a better way to do
this?
Thanks
- Greg Scott
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
