From Jinquan Luo on Mon, 31 Jan 2000
Dear James,
I have been tring to set up Proxy ARP using the ARP commands in Linux (Red Hat 6.1), but they do not seem to work for me. I wonder if you would give me some advice as to how to fix the problem. Here is my problem.
I have a CISCO router that connects to the internet. From that ONE link comes into a hub. Two computers are connected to the hub. One of the computer is our bastion host which is our web server and mail host. The e-mail messages are immediately relayed to our internal network through the other computer, which is the firewall. So here is the setup:
The firewall has ip# xx.xx.xx.2, MAC 00:20:AF:A2:9E:58 The bastion host has xx.xx.xx.3
The Firewall has a second NIC which is connected to the internal network. So the e-mail also goes through it. Now The email received by the bastion host is forwarded to xx.xx.xx.149, which is a phony address. So I tried to arp .149 to the MAC of the firewall like:
arp -i eth0 xx.xx.xx.149 00:20:AF:A2:9E:58 pub.
This command doesn't look quite right to me. Try something a bit more like:
arp -i eth0 -Ds ${NETWORK} eth1 netmask ${NETMASK} pub
This example is taken right out of the ProxyARP mini-HOWTO (*)
(NOTE: the 2.2.x kernel doesn't allow the netmask option. Apparently you must issue a separate command for each of the intended IP addresses you which to publish. I don't know what the state of this will be for version 2.4. I've copied one of my more expert associates; perhaps he'll jump in with more info).
The command appears to work so the arp shows xx.xx.xx.149 MP eth0 as advertised. The firewall is functiong and does translate the .149 address into an internal number 192.168.1.52, which is our internal mail server. the problem is that if I ping xx.xx.xx.149 on the bastion host it show this:
$ ping mickey \PING mickey.tbc.com (xx.xx.xx.149): 56 data bytes --- mickey.xx.xx ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss.
In another window I have
$ tcpdump -n arp 12:33:06.979376 arp who-has xx.xx.xx.149 tell xx.xx.xx.3 12:33:07.969471 arp who-has xx.xx.xx.149 tell xx.xx.xx.3 12:33:08.969470 arp who-has xx.xx.xx.149 tell xx.xx.xx.3 3 packets received by filter 0 packets dropped by kernel.
This continues forever.
My Kernel routing table looks like this:
bash# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface xx.xx.xx.3 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 xx.xx.xx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 xx.xx.xx.1 0.0.0.0 UG 0 0 0 eth0
Apparently there is something missing in setup that ARP is not providing the right link_addr.
The arp command doesn't affect your routing tables.
When I added a static route such as:
route add -net xx.xx.xx.0 netmask 255.255.255.0 gw xx.xx.xx.2
[where xx.xx.xx.2 is the firewall]
then the tcpdump shows this : 12:40:52.120385 arp who-has xx.xx.xx.149 tell xx.xx.xx.2.
Apparently PROXY ARP is not working because it is not responding to requests.
Try reading the ProxyARP mini-HOWTO and using a command that's closer to their example.
Yes, you do need to make sure that the routing table on the proxyarp host has entries for both subnets.
I am really not sure what is wrong with my set-up. If you can spare a moment please take a look and give me some clues.
Thanks very much.
Jinquan
If this doesn't help, draw up an ASCII art diagram to help me figure it out. It takes along time to guess what you mean based on this text. Be sure to include the routing tables on each of the routers (and proxyarp hosts) and a sample routing table from representative non-router hosts on each subnet.
Usually the process of creating this diagram will make your problem obvious.
[
There's a reasonable example of such art in another message this
month, subject "Subnetting".
-- Heather. ]
1 | 2 | 3 | 5 | |||||
5 | 6 | 7 | 8 | 9 | ||||
10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | |
18 | 19 | 20 | 21 | 22 |