Re: proxy arp problems...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Mike Benoit wrote:

> I'm working on setting up a firewall for my local LAN. We will using VoIP 
> applications extensively, so ip-masquerading unfortunately wont cut it. So 
> I'm trying to figure out how to setup a firewall, I have 30 external (real) 
> IPs, and about 25 client machines. So our ISP doesn't have to get involved, 
> I figured I would use proxy arp to take care of incoming packets, and NAT 
> for outgoing.
> 
> Here is what I'm doing in regards to proxy arp:
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
> arp -Ds 207.102.201.189 eth1 pub -v

The last line should be unnecessary if you have the second, and you
have the necessary routes (which you need anyway).

> [root@firewall /root]# arp -an
> ? (207.102.201.189) at * PERM PUP on eth1
> 
> [root@firewall /root]# cat /proc/net/arp
> 207.102.201.189  0x1         0xc         00:00:00:00:00:00     *        eth1
> 
> This is weird, even though I specify the MAC address I want to use for arp 
> replies, it doesn't record this MAC address anywhere it seems. When I go to 
> a client machine and try to ping 207.102.201.189, then check the arp table 
> on that client,
> 
>   207.102.201.189       00-d0-b7-74-52-57     dynamic
> 
> I get the MAC address of eth0 on my firewall box. (It should be the MAC 
> address of eth1 on the firewall.. [external interface]) This also seems to 
> be the same for any IP I throw at it in the same subnet.

This strongly suggests that your clients are connected to eth0, not to
eth1. In which case:

a) any ARP entries which you specify for eth1 won't apply, and

b) there wouldn't be any point in returning eth1's MAC address, as
it's of no use on the segment which is connected to eth0.

> ie:
> 
> 207.102.201.161       00-d0-b7-74-52-57     dynamic
> 
> Makes no difference if I manually set arp table entries or not, it always 
> replies with the MAC address of eth0 on the firewall. Anyone know how I can 
> change this so its replying with any MAC address I specify, or at least the 
> mac address of ETH1 like its supposed to?

If the clients /are/ connected to eth0, then what you are asking for
is both impossible and pointless.

-- 
Glynn Clements <glynn@sensei.co.uk>
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux