Re: ip neigh proxy behavior

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2012-07-10 00:30, Greg Scott wrote:
> Hello -
> 
> I have a situation with Sonicwall VPN device behind a Linux
> firewall/router, like this:
> 
> LAN             Sonicwall                 Linux
> 192.168.3.nn        VPN                 Firewall
> --------------+-----------+----------+-----------+-----Internet
>           LAN NIC    WAN NIC          em3        em1    1.2.3.48/28
>      192.168.3.95   1.2.3.51  192.168.3.5   1.2.3.50    Gateway 1.2.3.49
> 
> Hopefully my crude ASCII art above stays intact.
> 
> The Sonicwall has a WAN NIC and LAN NIC. Both are connected behind my
> firewall on the LAN side so I can monitor all the traffic.  I used
> bridging on the firewall to fool the Sonicwall into believing it was
> directly connected to the Internet and this worked up until the most
> recent Fedora upgrade. With the latest kernel, bridging now breaks other
> things I need and it's been suggested I try proxy ARP instead.
> 
> So I did.
> 
> On the firewall, I do:
> 
> ip neigh add proxy 1.2.3.51 dev em1
> ip route add 1.2.3.51/32 dev em3

Assuming 192.168 has /24 prefix and you want to go proxy "way",
I'd try:

LAN             Sonicwall                 Linux
192.168.3.nn        VPN                 Firewall
--------------+-----------+----------+-----------+-----Internet
          LAN NIC    WAN NIC          em3        em1    1.2.3.48/28
     192.168.3.95   1.2.3.51  192.168.0.2   1.2.3.50    Gateway 1.2.3.49
                 192.168.0.1          proxy 1.2.3.51

on firewall:

ip add add 1.2.3.50/28 dev em1
ip ro add default via 1.2.3.49 dev em1
ip neigh add proxy 1.2.3.51/32 dev em1
ip add add 192.168.0.2/24 dev em3 [scope link]
ip ro add 1.2.3.51/32 dev em3

on sonic:

ip add add 192.168.3.95/24 dev lan0 [scope link]
ip add add 1.2.3.51/32 dev wan0 scope global
ip add add 192.168.0.1/24 dev wan0 scope link
ip ro add default via 192.168.0.2 dev wan0 src 1.2.3.51

(of course, with wan0 replaced with proper if name)

If you want to avoid local address at wan0 for some reason:

ip ro add 192.168.0.0/24 dev wan0
instead of:
ip add add 192.168.0.1/24 dev wan0 scope link

If you do SNAT on em1, then you will likely want to avoid it
for src = 1.2.3.51 or alternatively through NOTRACK.

You might get away with 192.168.3.5 on em3, but then you will likely have
to set proxy arp for it on lan nic (with analogous purpose to em1) and
a route on wan nic.


Not sure how other things looked like (routing, addresses), so tough to
comment on the rest.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux