LARTC - Feb 2002 - proxy arp and routing

Hello,

Given the network map below, I am able to ping any ip on all networks from the
linux box.  However, from the cisco router, I cannot ping past eth1 on the linux
box.  The reverse is also true; I cannot ping past eth0 from a host on LAN. 
proxy-arp is enabled on the linux box and the route to a.b.c.0/24 is added to
the cisco router.  I haven''t a clue why either way, I can only get to
the far
side of the linux box but no further.

On second thought, maybe this is not an application for proxy-arp.  Your
thoughts are appreciated.

    T1 to ISP
        |
        | /30 net
        |
+----------------+
| cisco router   |
+----------------+
        | FastEthernet0/0
        | a.b.c.1/28
        |
 (possible switch/hub here in future)
 (ip range = a.b.c.1-15)
        |
        | a.b.c.2/28
        | eth0
+----------------+
|                |
|           eth1 |---a.b.c.16/24-public-net-----> LAN
|                |   (ip range = a.b.c.16-255)
| linux box      |
|           eth2 |---192.168.1.0/24-- *
|                | * (not revelant to discussion)
+----------------+

David Koski
david@KosmosIsland.com

I am not sure what you mean by that but ifconfig shows the correct
ip/netmask/broadcast for each ip.  Did I miss something?

David

On Fri, 1 Feb 2002 23:27:28 -0500
"Admin Nplus" <admin@nplus.ca> wrote:
> did you tell the linux box what ip is where on what side ?
> 
> ----- Original Message -----
> From: "David Koski" <david@kosmosisland.com>
> To: "LARTC" <lartc@mailman.ds9a.nl>
> Sent: Friday, February 01, 2002 5:41 PM
> Subject: [LARTC] proxy arp and routing
> 
> 
> > Hello,
> >
> > Given the network map below, I am able to ping any ip on all networks
from
> the
> > linux box.  However, from the cisco router, I cannot ping past eth1 on
the
> linux
> > box.  The reverse is also true; I cannot ping past eth0 from a host on
> LAN.
> > proxy-arp is enabled on the linux box and the route to a.b.c.0/24 is
added
> to
> > the cisco router.  I haven''t a clue why either way, I can
only get to the
> far
> > side of the linux box but no further.
> >
> > On second thought, maybe this is not an application for proxy-arp. 
Your
> > thoughts are appreciated.
> >
> >     T1 to ISP
> >         |
> >         | /30 net
> >         |
> > +----------------+
> > | cisco router   |
> > +----------------+
> >         | FastEthernet0/0
> >         | a.b.c.1/28
> >         |
> >  (possible switch/hub here in future)
> >  (ip range = a.b.c.1-15)
> >         |
> >         | a.b.c.2/28
> >         | eth0
> > +----------------+
> > |                |
> > |           eth1 |---a.b.c.16/24-public-net-----> LAN
> > |                |   (ip range = a.b.c.16-255)
> > | linux box      |
> > |           eth2 |---192.168.1.0/24-- *
> > |                | * (not revelant to discussion)
> > +----------------+
> >
> > David Koski
> > david@KosmosIsland.com
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
> >

On Sat, 2 Feb 2002 10:19:13 +0100
Leen Besselink <leen@wirehub.nl> wrote:
> * David Koski (david@kosmosisland.com) wrote:
> > I am not sure what you mean by that but ifconfig shows the correct
> > ip/netmask/broadcast for each ip.  Did I miss something?
> > 
> maybe you could show us the routing table(s) ?
> also did you turn on ip forwarding (/proc/sys/net/ipv4/ip_forward) ?
That would be tough because I had to revert back to get it back working. 
Currently, the public block is routed arround the linux box instead of through
it, just to keep it going.  But it looked just as I would expect given the
ifconfig and /etc/sysconfig/* settings.

I have a howto on an alternate method of proxy arp''ing.  It uses
identical
assignments on eth0 and eth1 instead of using different netmasks.  But it uses
static routes.  Maybe I''ll try that.  But I would still like to know
why the
other did not work.  Is it possible that with the method I tried, proxy arp is
not necessary and only interferes?

David

Sorry, yes.  forwarding is enabled.

David

On Sat, 2 Feb 2002 13:36:23 -0500
"Admin Nplus" <admin@nplus.ca> wrote:
> does ipforwarding is enabled ?
> =1 ?
> 
> ----- Original Message -----
> From: "David Koski" <david@kosmosisland.com>
> To: "LARTC" <lartc@mailman.ds9a.nl>
> Sent: Saturday, February 02, 2002 12:13 AM
> Subject: Re: [LARTC] proxy arp and routing
> 
> 
> > I am not sure what you mean by that but ifconfig shows the correct
> > ip/netmask/broadcast for each ip.  Did I miss something?
> >
> > David
> >
> > On Fri, 1 Feb 2002 23:27:28 -0500
> > "Admin Nplus" <admin@nplus.ca> wrote:
> >
> > > did you tell the linux box what ip is where on what side ?
> > >
> > > ----- Original Message -----
> > > From: "David Koski" <david@kosmosisland.com>
> > > To: "LARTC" <lartc@mailman.ds9a.nl>
> > > Sent: Friday, February 01, 2002 5:41 PM
> > > Subject: [LARTC] proxy arp and routing
> > >
> > >
> > > > Hello,
> > > >
> > > > Given the network map below, I am able to ping any ip on all
networks
> from
> > > the
> > > > linux box.  However, from the cisco router, I cannot ping
past eth1 on
> the
> > > linux
> > > > box.  The reverse is also true; I cannot ping past eth0 from
a host on
> > > LAN.
> > > > proxy-arp is enabled on the linux box and the route to
a.b.c.0/24 is
> added
> > > to
> > > > the cisco router.  I haven''t a clue why either way,
I can only get to
> the
> > > far
> > > > side of the linux box but no further.
> > > >
> > > > On second thought, maybe this is not an application for
proxy-arp.
> Your
> > > > thoughts are appreciated.
> > > >
> > > >     T1 to ISP
> > > >         |
> > > >         | /30 net
> > > >         |
> > > > +----------------+
> > > > | cisco router   |
> > > > +----------------+
> > > >         | FastEthernet0/0
> > > >         | a.b.c.1/28
> > > >         |
> > > >  (possible switch/hub here in future)
> > > >  (ip range = a.b.c.1-15)
> > > >         |
> > > >         | a.b.c.2/28
> > > >         | eth0
> > > > +----------------+
> > > > |                |
> > > > |           eth1 |---a.b.c.16/24-public-net-----> LAN
> > > > |                |   (ip range = a.b.c.16-255)
> > > > | linux box      |
> > > > |           eth2 |---192.168.1.0/24-- *
> > > > |                | * (not revelant to discussion)
> > > > +----------------+
> > > >
> > > > David Koski
> > > > david@KosmosIsland.com
> > > > _______________________________________________
> > > > LARTC mailing list / LARTC@mailman.ds9a.nl
> > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> http://ds9a.nl/lartc/
> > > >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
> >

On Fri, Feb 01, 2002 at 02:41:49PM -0800, David Koski
wrote:
> Given the network map below, I am able to ping any ip on all networks from
the
> linux box.  However, from the cisco router, I cannot ping past eth1 on the
linux
> box.  The reverse is also true; I cannot ping past eth0 from a host on LAN.
> proxy-arp is enabled on the linux box and the route to a.b.c.0/24 is added
to
> the cisco router.  I haven''t a clue why either way, I can only get
to the far
> side of the linux box but no further.
I do not care about your ascii art, just about the following:
ip route show
/proc/sys/net/ipv4/conf/eth[012]/proxy_arp
/proc/sys/net/ipv4/conf/eth[012]/rp_filter
/proc/sys/net/ipv4/ip_forward
1) proxy_arp must be set to 1
2) rp_filter: you might start with 0
3) ip_forward should be set to 1
4) all routes must be sane:
ip route add a.b.c.0/28 dev eth0
ip route add a.b.c.0/24 dev eth1
ip route add 192.168.1.0 dev eth2
ip route add default via a.b.c.1

Then you should be able to arp-ping the whole world from anywhere inside
your network.

-- 
<ard@telegraafnet.nl> Telegraaf Elektronische Media  http://wwwijzer.nl
http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html 
Let your government know you value your freedom. Sign the petition:
http://petition.eurolinux.org/

On Mon, 4 Feb 2002 15:59:44 +0100
Ard van Breemen <ard@telegraafnet.nl> wrote:
> On Fri, Feb 01, 2002 at 02:41:49PM -0800, David Koski wrote:
> > Given the network map below, I am able to ping any ip on all networks
from
the
> > linux box.  However, from the cisco router, I cannot ping past eth1 on
the
linux
> > box.  The reverse is also true; I cannot ping past eth0 from a host on
LAN.
> > proxy-arp is enabled on the linux box and the route to a.b.c.0/24 is
added
to
> > the cisco router.  I haven''t a clue why either way, I can
only get to the
far
> > side of the linux box but no further.
> I do not care about your ascii art, just about the following:
> ip route show
> /proc/sys/net/ipv4/conf/eth[012]/proxy_arp
> /proc/sys/net/ipv4/conf/eth[012]/rp_filter
> /proc/sys/net/ipv4/ip_forward
> 1) proxy_arp must be set to 1
> 2) rp_filter: you might start with 0
> 3) ip_forward should be set to 1
> 4) all routes must be sane:
> ip route add a.b.c.0/28 dev eth0
> ip route add a.b.c.0/24 dev eth1
> ip route add 192.168.1.0 dev eth2
> ip route add default via a.b.c.1
> 
> Then you should be able to arp-ping the whole world from anywhere inside
> your network.
You did not mention:

/proc/sys/net/ipv4/conf/eth[012]/forwarding

It is set to 1 also.  The only difference I have with your settings above is
rp_filter.  I''ll change it to 0 and see what happens.  Since the
settings were
reverted back and I don''t have access to it right now, I cannot dump
the routing
table.  But it was verified to be correct and consistant with the above
settings.

Thank you,
David Koski
david@KosmosIsland.com