Here''s my setup:
.224 \
.225 --- DSL Modem --- ISP (.252)
.226 /
I''ve got a DSL modem that bridges ethernet between three boxes here,
and everything else on the same subnet at the ISP side.
With the three boxes plugged into a hub, with the DSL modem, I can''t
do aggregate bandwidth shaping, because there''s no way for one both to
know in relation to the other three how much bandwidth it''s using.
I decided to use proxy-arp, and put two of the boxes behind a 2.4 box
doing shaping:
.225 \
-- .224 -- DSL Modem -- ISP (.252)
.226 /
And, following the HOWTO, proceeded to turn proxy_arp on for the left
and right interface on .224 which both had IP address .224.
I set the routes up so that .225/6 went to the left, and .128/25 went
to the right.
Everything seemed to work fine.
Except that my box started to answer ARP requests from and for
everything on the ISP''s .128/25 subnet. So it caused lots of havoc.
The HOWTO assumes that you have a router of some sort between the
proxy ARP box and the ISP, so that ARP requests never traverse the
router.
In my case, since it''s a bridge, everything goes.
So I''m now looking for a way to advertise the ARP addresses for .225
and .226 on the DSL modem (ISP facing side), without using proxy_arp.
I tried the following:
ip neigh add dev <dsl-modem-facing-if> proxy .225
ip neigh add dev <dsl-modem-facing-if> proxy .226
but the box doesn''t answer ARP queries for those addresses.
If I do an:
ip addr add dev eth3 .225
arping -U -I eth3 -s .225 <some ISP address>
ip addr del dev eth3 .225
I can then ping <some ISP address> for what looks to be a short
(undetermined) time before they stop responding. I''m assuming that my
ARP entry expires, and they no longer get a response to ARP probes for
.225 or .226.
Anyone have any idea what I can do? I thought that "pub" ARP entries
were supposed to respond to ARP requests as long as the route doesn''t
travel out the same interface the request came in on, but they don''t
seem to.
Would kernel ARPd support and running userspace ''arpd'' help me
any?
Any ideas appreciated!
--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[toad.enfusion-group.com] up 5 days, 4:00, 13 users
On Fri, Feb 22, 2002 at 11:11:44PM -0500, Adrian Chung wrote:> Here''s my setup: > > .224 \ > > .225 --- DSL Modem --- ISP (.252) > > .226 / > > I''ve got a DSL modem that bridges ethernet between three boxes here, > and everything else on the same subnet at the ISP side. > > With the three boxes plugged into a hub, with the DSL modem, I can''t > do aggregate bandwidth shaping, because there''s no way for one both to > know in relation to the other three how much bandwidth it''s using. > > I decided to use proxy-arp, and put two of the boxes behind a 2.4 box > doing shaping: > > .225 \ > -- .224 -- DSL Modem -- ISP (.252) > .226 / > > And, following the HOWTO, proceeded to turn proxy_arp on for the left > and right interface on .224 which both had IP address .224. > > I set the routes up so that .225/6 went to the left, and .128/25 went > to the right. > > Everything seemed to work fine. > > Except that my box started to answer ARP requests from and for > everything on the ISP''s .128/25 subnet. So it caused lots of havoc.Proxy ARP does require that you ''know'' what''s on the left and on the right of your interface. Hosts on the left shouldn''t be asking for hosts on the internet, they should be asking for the default gw.> The HOWTO assumes that you have a router of some sort between the > proxy ARP box and the ISP, so that ARP requests never traverse the > router.If an ARP traverses the router, it''s not a router, but a bridge :-)> In my case, since it''s a bridge, everything goes.Indeed.> So I''m now looking for a way to advertise the ARP addresses for .225 > and .226 on the DSL modem (ISP facing side), without using proxy_arp.I think you can tell a route to be public or not, so you could have routes for which no ARPs are sent out, even though proxy arp is on. Check the ip documentation (it''t a TeX file that is mentioned in the HOWTO somewhere). Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
On Sun, Feb 24, 2002 at 10:33:25AM +0100, bert hubert wrote:> On Fri, Feb 22, 2002 at 11:11:44PM -0500, Adrian Chung wrote: > > Here''s my setup: > > > > .224 \ > > > > .225 --- DSL Modem --- ISP (.252) > > > > .226 /I''ve changed my setup slightly: DSL modem --- ISP (.128/25) / .226 -- .224-FW-.224 -- \ .225 I''ve altered the routes so that only .226 is routed to the left iface. Here''s the weirdness. With a publishing ARP entry and proxy_arp set to ''0'' on the right hand iface, .225 can resolve ARP queries for .226 without any problem every time. It always gets .224''s MAC address. This is good! But, nothing at .128/25 seems to be able to reply to .226. When I ping from .226 to say, .195, or even .252 which is the default gateway, I get no response. I don''t even see ARP queries from those boxes. If I do an unsolicited ARPing to one of those boxes though, I can then ping them from .226 for a short time, and I see ARP requests from those boxes which are answered by my FW. After a couple minutes, they stop responding, and I never see any ARP requests for .226 again. All is fine if I do another unsolicited ARP. My understanding is that if .195, .252 had an ARP entry in their cache still for .226, they would use it, and send out another request to make sure it''s still valid. If they don''t have an entry, I would have assumed they should have ARP''d for one again. Anyways, I''m stumped! -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [toad.enfusion-group.com] up 22:46, 11 users, load average: 0.00
On Fri, Feb 22, 2002 at 11:11:44PM -0500, Adrian Chung wrote:> I''ve got a DSL modem that bridges ethernet between three boxes here, > and everything else on the same subnet at the ISP side. > > With the three boxes plugged into a hub, with the DSL modem, I can''t > do aggregate bandwidth shaping, because there''s no way for one both to > know in relation to the other three how much bandwidth it''s using. > > I decided to use proxy-arp, and put two of the boxes behind a 2.4 box > doing shaping: > > .225 \ > -- .224 -- DSL Modem -- ISP (.252) > .226 / > > And, following the HOWTO, proceeded to turn proxy_arp on for the left > and right interface on .224 which both had IP address .224. > > I set the routes up so that .225/6 went to the left, and .128/25 went > to the right. > > Everything seemed to work fine. > > Except that my box started to answer ARP requests from and for > everything on the ISP''s .128/25 subnet. So it caused lots of havoc.Ehhh, so you did not set up a default gateway at .225 and .226. That''s your problem.> The HOWTO assumes that you have a router of some sort between the > proxy ARP box and the ISP, so that ARP requests never traverse the > router.Yep and no. It assumes you have a default gateway, which usually is a local router, but it can also be the router of the ISP. So your problem is .225, and .226 not arping for the ISP address. There is nothing wrong with the remainder of your setup.> In my case, since it''s a bridge, everything goes.Yes, and in the normal situation you would have .252 as a default gateway. TROUBLE SHOOTING FAQ: If you see a large amount of arps, and a large growing neighbour table, you definetely have forgotten the default gateway. -- <ard@telegraafnet.nl> Telegraaf Elektronische Media http://wwwijzer.nl http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html Let your government know you value your freedom. Sign the petition: http://petition.eurolinux.org/
On Sun, Feb 24, 2002 at 09:06:24PM +0100, Ard van Breemen wrote:> On Fri, Feb 22, 2002 at 11:11:44PM -0500, Adrian Chung wrote: > > I''ve got a DSL modem that bridges ethernet between three boxes here, > > and everything else on the same subnet at the ISP side. > > > > With the three boxes plugged into a hub, with the DSL modem, I can''t > > do aggregate bandwidth shaping, because there''s no way for one both to > > know in relation to the other three how much bandwidth it''s using. > > > > I decided to use proxy-arp, and put two of the boxes behind a 2.4 box > > doing shaping: > > > > .225 \ > > -- .224 -- DSL Modem -- ISP (.252) > > .226 / > > > > And, following the HOWTO, proceeded to turn proxy_arp on for the left > > and right interface on .224 which both had IP address .224. > > > > I set the routes up so that .225/6 went to the left, and .128/25 went > > to the right. > > > > Everything seemed to work fine. > > > > Except that my box started to answer ARP requests from and for > > everything on the ISP''s .128/25 subnet. So it caused lots of havoc. > Ehhh, so you did not set up a default gateway at .225 and .226. > That''s your problem..226 and .225 have a default gateway set, and they resolve its MAC address fine, (as .224''s left hand iface). So that''s not my problem. Plus, as I explained, it''s not .226 and .225 getting to machines on the .128/25 subnet that''s the problem, it''s the fact that .128/25 can''t seem to see .226 and .225.> > The HOWTO assumes that you have a router of some sort between the > > proxy ARP box and the ISP, so that ARP requests never traverse the > > router. > Yep and no. It assumes you have a default gateway, which usually is a > local router, but it can also be the router of the ISP. So your problem > is .225, and .226 not arping for the ISP address. There is nothing > wrong with the remainder of your setup.They ARP successfully for it, but for some reason the ISP machines on .128/25 won''t ARP for .225 or .226... But they do for a short period of time if I send an unsolicited ARP request/reply to them. After about 3 minutes, they stop responding once again, and I never see ARP requests/replies from them for .225 or .226. It''s strange.> > In my case, since it''s a bridge, everything goes. > Yes, and in the normal situation you would have .252 as a default gateway.Which I do, on both .225, .226 and .224. And proper routes on .224 pointing .226 and .225 left, and .252, .128/25 right. I''m not sure what ARP requests I was answering for, because I didn''t see the ARP cache. But apparently there were 30-40 ARP entries at the ISP router end that all had my MAC address attached. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [toad.enfusion-group.com] up 1 day, 3:26, 11 users
On Sun, Feb 24, 2002 at 03:49:26PM -0500, Adrian Chung wrote:> On Sun, Feb 24, 2002 at 09:06:24PM +0100, Ard van Breemen wrote: > .226 and .225 have a default gateway set, and they resolve its MAC > address fine, (as .224''s left hand iface). > > So that''s not my problem.Ok. Was going for the obvious. :)> Plus, as I explained, it''s not .226 and .225 getting to machines on > the .128/25 subnet that''s the problem, it''s the fact that .128/25 > can''t seem to see .226 and .225.Waita minute, just remembered something: usually isp routers will arp about each 30 minutes. That''s because those cisco''s probably do not have that much cpu capacity...> > > The HOWTO assumes that you have a router of some sort between the > > > proxy ARP box and the ISP, so that ARP requests never traverse the > > > router. > > Yep and no. It assumes you have a default gateway, which usually is a > > local router, but it can also be the router of the ISP. So your problem > > is .225, and .226 not arping for the ISP address. There is nothing > > wrong with the remainder of your setup. > They ARP successfully for it, but for some reason the ISP machines on > .128/25 won''t ARP for .225 or .226... But they do for a short period > of time if I send an unsolicited ARP request/reply to them.Hmmm, weird... I think the old tcpdump should give us some hints. Could you tcpdump your interfaces? That''s something like tcpdump -n -e -i {theinterface} arp or something like that. Oh, and while you are at it: ip rule show ip route show ip addr show from all the boxes if the tcpdump does not give the right hints.> After about 3 minutes, they stop responding once again, and I never > see ARP requests/replies from them for .225 or .226.That sounds like a stale arp entry.> It''s strange.Yep. BTW: you could try turning rp_filter off on the .224 box. If it then works, then the routing is the problem. Arp request will also follow the rp_filter...> > > In my case, since it''s a bridge, everything goes. > > Yes, and in the normal situation you would have .252 as a default gateway. > > Which I do, on both .225, .226 and .224. And proper routes on .224 > pointing .226 and .225 left, and .252, .128/25 right. > > I''m not sure what ARP requests I was answering for, because I didn''t > see the ARP cache. But apparently there were 30-40 ARP entries at the > ISP router end that all had my MAC address attached.That should be correct, since your ISP router expects a /26 (unless you really meant /6...)... That''s about 64 possible addresses to arp for. -- <ard@telegraafnet.nl> Telegraaf Elektronische Media http://wwwijzer.nl http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html Let your government know you value your freedom. Sign the petition: http://petition.eurolinux.org/
On Fri, Feb 22, 2002 at 11:11:44PM -0500, Adrian Chung wrote: [...]> .225 \ > -- .224 -- DSL Modem -- ISP (.252) > .226 /After what looks to be some reconfiguration at the ISP end, it seems to be working this morning. I can ping boxes in the ISP subnet .128/25 with no problems, and observe both ARP requests from .224 and replies on behalf of .226 from .224. It seems to be working fine. Thanks to all who had helpful suggestions! -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [toad.enfusion-group.com] up 4:45, 10 users, load average: 0.03