hi, this is may be off topic, but somewhat shorewall releated. we''ve got the same setup as described here: http://shorewall.net/ProxyARP.htm just the eth1 is 172.16.20.1/24. but now i''d like to put a new machine into the privnet with ip: 172.16.20.2 (while there are a few others with public ip). is it possible? i assume i shouldn''t have to put anything into shorewall''s proxyarp file (just the old entries), but when i try to ping from 172.16.20.2 the firewall (172.16.20.1) and run a tcpdump on the firewall, i''ve got this: ------------------------- # tcpdump -n -i eth1 host 172.16.10.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 17:07:01.763468 arp who-has 172.16.10.2 tell 172.16.10.1 17:07:02.763313 arp who-has 172.16.10.2 tell 172.16.10.1 17:07:04.763930 arp who-has 172.16.10.2 tell 172.16.10.1 ------------------------- and of course the problem neither the new host can''t ping the firewall nor the firewall the new host. what can be the problem? thanks in advance. yours. -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Farkas Levente wrote:> hi, > this is may be off topic, but somewhat shorewall releated. we''ve got the > same setup as described here: > http://shorewall.net/ProxyARP.htm > just the eth1 is 172.16.20.1/24. but now i''d like to put a new machine > into the privnet with ip: 172.16.20.2 (while there are a few others with > public ip). is it possible? i assume i shouldn''t have to put anything > into shorewall''s proxyarp file (just the old entries),I don''t know how many times I have to point this out but I''ll do it again: You can always eliminate Shorewall in simple cases like this by doing "shorewall clear" and testing again. Be sure to "shorewall start" after testing.> but when i try to > ping from 172.16.20.2 the firewall (172.16.20.1) and run a tcpdump on > the firewall, i''ve got this: > ------------------------- > # tcpdump -n -i eth1 host 172.16.10.2 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes > 17:07:01.763468 arp who-has 172.16.10.2 tell 172.16.10.1 > 17:07:02.763313 arp who-has 172.16.10.2 tell 172.16.10.1 > 17:07:04.763930 arp who-has 172.16.10.2 tell 172.16.10.1 > ------------------------- > and of course the problem neither the new host can''t ping the firewall > nor the firewall the new host. > what can be the problem?Looks to me like a bad cable or hub/switch port. It appears that 172.16.10.2 isn''t receiving from 172.16.10.1. You could, of course, confirm that by packet sniffing from 172.16.10.2. Or it could possibly be an incorrect netmask (255.255.255.255) on 172.16.10.2. Or it could be that there is a route to 172.16.10.1 out of another interface on 172.16.10.2. Or ... As an aside -- most people get very frustrated when bringing up a configuration like you are attempting. Getting 172.16.10.2 to communicate with the other public servers on that LAN is a real challenge and you will run into some interesting problems. I don''t recommend such a configuration and consequently have not documented how to do it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Ked, December 5, 2006 17:59, Tom Eastep wrote:> I don''t know how many times I have to point this out but I''ll do it again: > > You can always eliminate Shorewall in simple cases like this by > doing "shorewall clear" and testing again. Be sure to "shorewall start" > after testing.this is our real firewall so it''s not that simple.> Looks to me like a bad cable or hub/switch port. It appears that > 172.16.10.2 > isn''t receiving from 172.16.10.1. You could, of course, confirm that by > packet > sniffing from 172.16.10.2. Or it could possibly be an incorrect netmask > (255.255.255.255) on 172.16.10.2. Or it could be that there is a route to > 172.16.10.1 out of another interface on 172.16.10.2. Or ... > > As an aside -- most people get very frustrated when bringing up a > configuration > like you are attempting. Getting 172.16.10.2 to communicate with the other > public servers on that LAN is a real challenge and you will run into some > interesting problems. I don''t recommend such a configuration and > consequently > have not documented how to do it.ok so the full story, that it''s our dmz zone and the firewall is the real firewall. until now there is only public ip address in this zone. but now would like to put a new machine with virtulization. and for the dom0 (in xen terminology) or hardware node (in openvz) i''d to give the private address while in the virtual server on it use public address (to not waste our public ip address). so the hypervizor don''t have to access to any other machine in the network just to the firewall. i hope this clrear the setup. this machine works in the internal lan and now we connected it to the dmz after that this happend. i assume there is no hardware problem since if i ping from the new server the firewall and run the tcpdump _on_ the firewall then i''ve got the above result, so i assume threre is at least etherenet level communications. but i''ll check the hardwares tomorrow. yours. -- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV