--- On Thu, 11/20/08, Stephen Hemminger <shemminger@xxxxxxxxxx> wrote: > From: Stephen Hemminger <shemminger@xxxxxxxxxx> > Subject: Re: IP Aliasing: IPs Switched? > To: "Lainee Scott" <laineescott@xxxxxxxxx> > Cc: linux-net@xxxxxxxxxxxxxxx > Date: Thursday, November 20, 2008, 11:52 AM > On Thu, 20 Nov 2008 11:23:47 -0800 (PST) > Lainee Scott <laineescott@xxxxxxxxx> wrote: > > > Hi. I recently inherited a 3 year old FreeBSD box > running a firewall/ > > load balancer. I attempted to replace it with an IP > tables based firewall > > running on openSuSE 10.3. I encountered the following > issue. Any help > > would be greatly appreciated. > > > > The machine has 2 physical NIC cards with the > following IPs: > > > > Physical NIC 1: > > --------------- > > .11 (eth0) > > .12 (eth0:1) > > .13 (eth0:2) > > > > Physical NIC 2: > > --------------- > > 192.168.1.1 > > > > Listening on .11 is DNS and on .12 is HTTP. .13 was > the IP used by > > developers to access machines inside the firewall. I > didn't test this IP > > extensively. > > > > After we replaced the old firewall with this new one, > everything ran fine > > for 10 hours. No issues. After 10 hours, however, > everything seemed to > > stop responding. As we dug in to investigate it > turned out that .11 was > > now responding to HTTP traffic and .12 was responding > for DNS - essentially > > .11 and .12 had switched. We rebooted, tried a bunch > of stuff and the > > system never went back to responding to requests > properly. We eventually > > fell back to the old machine. > > > > [We ruled out issues with iptables rules because the > firewall ran fine for > > 10 hours with no issues and we cut out a lot of rules > while testing during > > the period when the machine was not responding > properly.] > > > > Physical NIC 1 is connected to a Cisco 2950 that > services the public network. > > Physical NIC 2 is connected to another Cisco 2950 that > services our private > > 192.168.1.0/24 network. > > > > I've built a test network and replicated almost > everything. I cannot get > > this issue to reproduce. The one part I could not > replicate was the use of > > 2 Cisco 2950's. I think I have a 2900/XL on the > private network and some > > NetGear for what would be the public network. > > > > I've been reading everything about ARP Flux, ARP > caches, IP aliasing and > > related kernel config parameters, etc. but I can't > seem to figure out where to > > go next or get a definitive answer. > > > > Any help would be greatly appreciated! > > > > Thanks. > > Linux uses weak host model, and BSD used strong host model. > http://en.wikipedia.org/wiki/Host_model Stephen, thanks for the reply. I appreciate any help at this point, I'm still a bit stumped. I did the following: # cd /proc/sys/net/ipv4/conf/ # find . -name rp_filter ./all/rp_filter ./default/rp_filter ./lo/rp_filter ./eth0/rp_filter ./eth1/rp_filter cat-ing each file in the exact order shown above produces these rules: 1 0 0 0 0 rp_filter is set to 1 for all. 0 for the rest. I believe there are 3 settings for rp_filter - 0, 1, 2. Is 1 what you want to see it set to to potentially address my issue? Should any of the settings above be changed? Also, I did not explicitly add routes for the aliased interfaces like this: /sbin/route add -host 172.16.3.10 dev eth0:0 /sbin/route add -host 172.16.3.100 dev eth0:1 (cut and pasted from this FAQ http://www.faqs.org/docs/Linux-mini/IP-Alias.html) Might this be the issue? Do I need to add these? Thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
