Scott Merrill
2002-Mar-06 15:32 UTC
[Shorewall-users] Strange Issue: False Duplicate IP conflicts
I installed my new Shorewall based belt-and-suspenders firewall configuration Monday evening, and the firewalling aspect worked like a charm! Thanks to Tom and the list for all the tremendous product and information. I inherited the network here. It is, in a word, bizarre. There are twelve subnets funneled through an SGI Origin 2000. One of the physical segments shares two logical IP addressing schemes: 192.168.0.x/24 and 192.9.208.x/24. As soon as I plugged the new firewall in, clients on the 192.9.208.x subnet complained that they detected a duplicate IP conflict. They _each_ reported the MAC address of the new firewall as the computer conflicting with their IP. Renumbering the 192.9.208.x computers to use 192.168.0.x resolved the problem. The firewall is _not_ proxy ARPing, but it is masq''ing the internal network to the internet. I''m stumped as to the cause the problem - it all worked before (using a NetMax ipchains-based firewall) without the duplicate IP conflicts. Can anyone explain to me why this would occur? Cheers, Scott
Tom Eastep
2002-Mar-06 16:14 UTC
[Shorewall-users] Strange Issue: False Duplicate IP conflicts
Scott, If the firewall''s interface whose MAC was involved didn''t have an IP address for 192.9.208.x/24 or if the subnet mask associated with that address was incorrect (not 255.255.255.0), you could see those symptoms (although I would have thought that the proxy-arp flag for the interface would have needed to have been set). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ----- Original Message ----- From: "Scott Merrill" <smerrill@finelinegraphics.com> To: <shorewall-users@shorewall.net> Sent: Wednesday, March 06, 2002 7:32 AM Subject: [Shorewall-users] Strange Issue: False Duplicate IP conflicts> I installed my new Shorewall based belt-and-suspenders firewall > configuration Monday evening, and the firewalling aspect worked like a > charm! Thanks to Tom and the list for all the tremendous product and > information. > > I inherited the network here. It is, in a word, bizarre. There aretwelve> subnets funneled through an SGI Origin 2000. One of the physical segments > shares two logical IP addressing schemes: 192.168.0.x/24 and192.9.208.x/24.> As soon as I plugged the new firewall in, clients on the 192.9.208.xsubnet> complained that they detected a duplicate IP conflict. They _each_reported> the MAC address of the new firewall as the computer conflicting with their > IP. Renumbering the 192.9.208.x computers to use 192.168.0.x resolved the > problem. > > The firewall is _not_ proxy ARPing, but it is masq''ing the internalnetwork> to the internet. I''m stumped as to the cause the problem - it all worked > before (using a NetMax ipchains-based firewall) without the duplicate IP > conflicts. > > Can anyone explain to me why this would occur? > > Cheers, > Scott > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >