Hello
I have proxy arp on eth3 with one host for testing
Proxy arp host is 66.224.62.119. With the box configured with
both Isp''s Comcast and T-1 proxy arp breaks and a tcpdump
shows eth0 (66.224.62.118) arping for dmz host (66.224.62.119)
without reply. However local network can access the dmz host.
eth0:66.224.62.118 is T-1 eth2:dhcp is comcast
eth1 local 10.194.79.0/24 eth3:66.224.62.118 dmz nic
dmz server 66.224.62.119 below is external nic dump.
I have tried putting proxyarp option in /etc/shorewall/
interfaces. On both eth0 and eth3. I have spent most of
my time using /etc/shorewall/proxyarp.
Which brings up a question. Shorewall puts
"1" on the proxyarp dmz inteface only. Not the external
interface. I have however tried both which makes no
difference. With both Isp''s configured there is local
access only. The dmz host however cannot access the internet
nor can the internet access the dmz host. And eth0 keeps
arping for the mac with no reply.
If I comment out the comcast Isp in shorewall
and shut down the dmz nic (eth3) proxyarp works.
Any ideas?
Thanks
Mike
PS the dump is with proxyarp broken
[root@ns5 ~]# tcpdump -nevvi eth0 arp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
10:58:11.417716 00:50:bf:79:35:1a > Broadcast, ethertype ARP (0x0806),
length 42: arp who-has 66.224.62.119 tell 66.224.62.118
10:58:13.242507 00:40:33:e3:cf:c3 > 00:60:49:80:24:46, ethertype ARP
(0x0806), length 60: arp who-has 66.224.62.97 tell 66.224.62.100
10:58:13.243225 00:60:49:80:24:46 > 00:40:33:e3:cf:c3, ethertype ARP
(0x0806), length 64: arp reply 66.224.62.97 is-at 00:60:49:80:24:46
10:58:14.911692 00:50:bf:79:35:1a > Broadcast, ethertype ARP (0x0806),
length 42: arp who-has 66.224.62.119 tell 66.224.62.118
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Correction below If I comment out the comcast Isp eth2 not dmz proxyarp works please ignore> and shut down the dmz nic (eth3) proxyarp works.----- Original Message ----- From: "Mike Lander" <landers@lanlinecomputers.com> To: "Shorewall" <shorewall-users@lists.sourceforge.net> Sent: Wednesday, November 22, 2006 12:07 PM Subject: [Shorewall-users] Proxy Arp Breaks> Hello > I have proxy arp on eth3 with one host for testing > Proxy arp host is 66.224.62.119. With the box configured with > both Isp''s Comcast and T-1 proxy arp breaks and a tcpdump > shows eth0 (66.224.62.118) arping for dmz host (66.224.62.119) > without reply. However local network can access the dmz host. > eth0:66.224.62.118 is T-1 eth2:dhcp is comcast > eth1 local 10.194.79.0/24 eth3:66.224.62.118 dmz nic > dmz server 66.224.62.119 below is external nic dump. > I have tried putting proxyarp option in /etc/shorewall/ > interfaces. On both eth0 and eth3. I have spent most of > my time using /etc/shorewall/proxyarp. > Which brings up a question. Shorewall puts > "1" on the proxyarp dmz inteface only. Not the external > interface. I have however tried both which makes no > difference. With both Isp''s configured there is local > access only. The dmz host however cannot access the internet > nor can the internet access the dmz host. And eth0 keeps > arping for the mac with no reply. > If I comment out the comcast Isp in shorewall > and shut down the dmz nic (eth3) proxyarp works. > Any ideas? > > Thanks > Mike > PS the dump is with proxyarp broken > > > > [root@ns5 ~]# tcpdump -nevvi eth0 arp > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 > bytes > 10:58:11.417716 00:50:bf:79:35:1a > Broadcast, ethertype ARP (0x0806), > length 42: arp who-has 66.224.62.119 tell 66.224.62.118 > 10:58:13.242507 00:40:33:e3:cf:c3 > 00:60:49:80:24:46, ethertype ARP > (0x0806), length 60: arp who-has 66.224.62.97 tell 66.224.62.100 > 10:58:13.243225 00:60:49:80:24:46 > 00:40:33:e3:cf:c3, ethertype ARP > (0x0806), length 64: arp reply 66.224.62.97 is-at 00:60:49:80:24:46 > 10:58:14.911692 00:50:bf:79:35:1a > Broadcast, ethertype ARP (0x0806), > length 42: arp who-has 66.224.62.119 tell 66.224.62.118 >--------------------------------------------------------------------------------> ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV--------------------------------------------------------------------------------> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> Correction below > If I comment out the comcast Isp eth2 not dmz > proxyarp worksAt the very least, you need a high-priority routing rule that sends all traffic from 66.224.62.119 out of eth0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I tried this in /etc/shorewall/routerules eth0 still arps with no answer?? #SOURCE DEST PROVIDER PRIORITY - 10.19.227.0/24 main 1000 66.224.62.119 0.0.0.0/0 atg 1000 Thanks Mike ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I also added this to route rules---no change in arp - 66.224.62.119 atg 1000 Mike ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> I also added this to route rules---no change in arp > > - 66.224.62.119 atg 1000That should actually be - 66.224.62.119 main 1000 ^ | The atg table doesn''t have a route to 66.224.62.119 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> I also added this to route rules---no change in arp > > - 66.224.62.119 atg 1000That should actually be - 66.224.62.119 main 1000 ^ | The atg table doesn''t have a route to 66.224.62.119 -Tom That did it ---I had tried this at the start hours ago, but I other misconfigurations. Now I can enjoy T-Day knowing I can get this going next week. When I install this firewall all thats left is some voip Qos and its done. I have seen some examples in posts on the list and on your site about voip. I thought I would experiment with some of those. Thank you Tom Happy Thanksgiving :<) ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> > Happy Thanksgiving :<) >You too, Mike -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV