LARTC - Nov 2002 - Weird problems with source-based routing, proxy_arp and the mediu m_id feature

Hello,

i have a firewall with lots of interfaces and want to use
the proxy_arp feature, but ran into problems with false
arp whois replys from the firewall.

What happens is that the inbound interface of the firewall
answers to arp whois replys with it''s own MAC even on the
interface where the Machines with that IPs live.

So, when the internal machines are connected to eth0 and
a dumb Windows Machine boots, it first does a arp-whois
on ot''s own IP on the network before it starts it''s NIC.
The firewall now _answers_ on it''s connected NIC with
it''s on MAC, arp-whois-reply with it''s MAC. Windows is
now convinced that IP is allready taken and refuses to
start it''s interface.

I really could see that in a tcpdump. I was thinking that
this shouldn''t happen with the proxy-arp feature on a
directly connected interface (and never had that problem
with some other proxy-arped setups!), so i googled a bit
and found the newish medium_id feature. I''m not quite sure
if that solves my problem, but it tried it and it didn''t
work.

More details:

Every workstation in the internal network has it''s own
routing table on the firewall. This is because the other
networks connected to the firewall use sometimes the same
IP-ranges (customers using private assigned IP addresses).
Each user on the internal net can now choose a new default
gateway in his own routing table (via a sudo script).
The firewall itself doesn''t know about that, it itself
shouldn''t be connected to any other networks except the
directly connected machines on it''s interfaces.

So what i do on the firewall for example: (see also chart)

Workstation wants to customer connected Router1:
sysctl -w net.ipv4.conf.eth0.medium_id=1
sysctl -w net.ipv4.conf.eth1.medium_id=2
sysctl -w net.ipv4.conf.eth2.medium_id=3
sysctl -w net.ipv4.conf.eth3.medium_id=4

sysctl -w net.ipv4.conf.all.proxy_arp=1
sysctl -w net.ipv4.ip_forward=1

ip route add 10.1.56.222 dev eth1 # Router1
ip route add 10.1.56.193 dev eth0 # Workstation1
# every Workstation has it''s own table
ip rule add from 10.1.56.193 table 193
ip route add default via 10.1.56.222 dev eth1 table 193

In my understanding the firewall should not answer to
arp-whois requests for IP 10.1.56.193 on interface eth0.
Or did i get it wrong?

The setup does work for Linux machines, they don''t get
confused with the false arp-replys.

Another question, where i''m in doubt, can it cause
problems if i assign the same IP to all interfaces? I just
did it for simplicity and it may be a real dumb idea.

Uh, just for curiosity: According to IETF Standard 37
(http://www.faqs.org/rfcs/std/std37.html) only a machine
who really owns the IP is allowed to answer and send a
arp-whois-reply. I got some equippment (not proxy_arp
related) which answers on behalf of some machine. This
really sucks, since it''s arp-cache timeout is >6h. Anyone
heard about equippment like that? (It''s a SMS-Center from
Comverse, GSM-Equippment)

Thanks for your patience and for your replies,
Cheers, Alex.

Aaahh: Using stock 2.4.20 with Netfilter patches applied.

My setup:


    Router1            Router2           Router3
 10.1.56.222/27    10.1.56.220/27    10.1.56.219/27 ... even
       |                  |                 |           more
       |                  |                 |     Routers...
       |                  |                 |
----------------------------------------------------
      eth1              eth2              eth3      ... more
 10.1.56.221/27    10.1.56.221/27    10.1.56.221/27     eths

                       Firewall

                   10.1.56.221/27
                        eth0
----------------------------------------------------
                          |
                          |
                Rest of 10.1.56.192/27
                    Workstations

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello,

On Fri, 29 Nov 2002, Janssen Alexander wrote:
> ip route add 10.1.56.222 dev eth1 # Router1
> ip route add 10.1.56.193 dev eth0 # Workstation1
> # every Workstation has it''s own table
> ip rule add from 10.1.56.193 table 193
> ip route add default via 10.1.56.222 dev eth1 table 193
>
> In my understanding the firewall should not answer to
> arp-whois requests for IP 10.1.56.193 on interface eth0.
> Or did i get it wrong?
	Yes

	May be only one missing line to be happy with medium_id:

ip rule add prio 100 table main

	Explanation:

	I see only the table for .193 but I assume there are other
similar tables, you have asymmetric routing configured when it should
not be in this way. What happens:

A and B are on same LAN, Host A resolves B:

who-has B tell A

firewall:

Q: I see probe "who-has B tell A" on dev X. Where points the route
from A to B?

A: There is route "from A to 0/0 => Forward via DEV Y". Well, X !=
Y,
they have different medium_id values => answer this ARP probe on DEV X.

The problem is that you have routes in this order (ip rule show):

from A to 0/0 => DEV Y (table A)
from 0/0 to B => DEV X (table main)

You need to inspect the main table first.

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/