Shorewall users - Mar 2003 - ProxyArping with massive packetloss...

Hi all,

I''ve used SW 1.2 before to set up a firewall with
proxyarping, and it worked successfully. However, I''ve
just set up a box with RH8.0, and the latest SW
version (1.4.1a? - it''s got the ''a'' at the back), but
the proxyarping doesn''t work this time around. I''m
kinda stumped as I thought it would be a jiffy to set
up (the last set up had multiple subnets and it was
pretty funky). This time around I''ve got a whole class
C to play with and I would like to implement the same
proxyarping as before.

eth0 is configured to my external IP, and eth1 is
configured to an internal IP (exactly like the example
by tom - it''s 192.168.2.1). I added one IP to the
proxyarp file for testing purposes. The client machine
has been set up following Tom''s how-to. The bummer
part is when I try to ping the eth0 or eth1 interface
from the client machine, I get about 90% packetloss
(unusable network *sniff*). Same goes when I ping the
client machine from the firewall. So the packets are
getting thru, but 90% goes to I-dunno-where.

Anybody have any clue? I''m stumped, and the beer I''m
going to take after this won''t be of much help. ;( I
hope someone can shed some light on this...

Beerfully yours,
Ken.



__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS'' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

Ken,

Make sure that you clear all the arp cache''s on your network (routers,
switches etc.) if you can. If your ISP owns the router and you can''t
clear
the arp cache on that router than it may take several hours to clear. This
typically cause a lot of problems until it clears.

Mike 

-----Original Message-----
From: Arien Monster [mailto:arien_monster@yahoo.com]
Sent: Tuesday, March 25, 2003 7:10 AM
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] ProxyArping with massive packetloss...


Hi all,

I''ve used SW 1.2 before to set up a firewall with
proxyarping, and it worked successfully. However, I''ve
just set up a box with RH8.0, and the latest SW
version (1.4.1a? - it''s got the ''a'' at the back), but
the proxyarping doesn''t work this time around. I''m
kinda stumped as I thought it would be a jiffy to set
up (the last set up had multiple subnets and it was
pretty funky). This time around I''ve got a whole class
C to play with and I would like to implement the same
proxyarping as before.

eth0 is configured to my external IP, and eth1 is
configured to an internal IP (exactly like the example
by tom - it''s 192.168.2.1). I added one IP to the
proxyarp file for testing purposes. The client machine
has been set up following Tom''s how-to. The bummer
part is when I try to ping the eth0 or eth1 interface
from the client machine, I get about 90% packetloss
(unusable network *sniff*). Same goes when I ping the
client machine from the firewall. So the packets are
getting thru, but 90% goes to I-dunno-where.

Anybody have any clue? I''m stumped, and the beer I''m
going to take after this won''t be of much help. ;( I
hope someone can shed some light on this...

Beerfully yours,
Ken.



__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS'' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Tue, 25 Mar 2003, Arien Monster wrote:
> eth0 is configured to my external IP, and eth1 is
> configured to an internal IP (exactly like the example
> by tom - it''s 192.168.2.1). I added one IP to the
> proxyarp file for testing purposes. The client machine
> has been set up following Tom''s how-to. The bummer
> part is when I try to ping the eth0 or eth1 interface
> from the client machine, I get about 90% packetloss
> (unusable network *sniff*). Same goes when I ping the
> client machine from the firewall. So the packets are
> getting thru, but 90% goes to I-dunno-where.
>
This is a network driver or hardware problem (cable, switch, etc.) -- it
has absolutely nothing to do with Proxy ARP since communication between 
the your client and the firewall doesn''t involve proxy arp.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

On Tue, 25 Mar 2003, Tom Eastep wrote:
> 
> This is a network driver or hardware problem (cable, switch, etc.) -- it
> has absolutely nothing to do with Proxy ARP since communication between 
> the your client and the firewall doesn''t involve proxy arp.
>
I guess that I should modify that statement slightly -- in the case of
pinging the external firewall interface, the client sends an ARP
"who-has"
for that address (since it is in the client''s configured subnetwork).
Once
that ARP request has been answered and the result cached (MAC address is
that of the firewall interface facing the client), Proxy ARP is out of the
picture until the just-created cache entry expires. So if you suffer
packet loss in the meantime, it has nothing to do with Proxy ARP (or any
form of ARP for that matter).

Pinging the internal interface works basically the same way except that 
the client will ARP for its default gateway rather than for the
firewall''s
external IP address (assuming that the two are different).

Temporarily reconfigure the client to have address 192.168.2.2 with
gateway 192.168.2.1and see if you don''t get the same behavior. Once you
have that working correctly then go back to the Proxy ARP configuration.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Hola all,

many thanks to Mike and Tom for the help (side mention
goes to the beer)!

Ok, firstly, I had some problems with the DLink cards
I was using, so I switched them with 3Coms and voila!
All was well and dandy.

Only catch was the ARP cache on the ISP side. ;( Have
to wait a bit for that to get updated. Other than
that, all went well.

Thanks all!


Ken.

-more celebratory beer for me!

--- "Martinez, Mike (MHS-ACS)"
<Mike.Martinez@mhs-helpdesk.com> wrote:
> Ken,
> 
> Make sure that you clear all the arp cache''s on your
> network (routers,
> switches etc.) if you can. If your ISP owns the
> router and you can''t clear
> the arp cache on that router than it may take
> several hours to clear. This
> typically cause a lot of problems until it clears.
> 
> Mike 
> 
> -----Original Message-----
> From: Arien Monster [mailto:arien_monster@yahoo.com]
> Sent: Tuesday, March 25, 2003 7:10 AM
> To: shorewall-users@lists.shorewall.net
> Subject: [Shorewall-users] ProxyArping with massive
> packetloss...
> 
> 
> Hi all,
> 
> I''ve used SW 1.2 before to set up a firewall with
> proxyarping, and it worked successfully. However,
> I''ve
> just set up a box with RH8.0, and the latest SW
> version (1.4.1a? - it''s got the ''a'' at the
back),
> but
> the proxyarping doesn''t work this time around. I''m
> kinda stumped as I thought it would be a jiffy to
> set
> up (the last set up had multiple subnets and it was
> pretty funky). This time around I''ve got a whole
> class
> C to play with and I would like to implement the
> same
> proxyarping as before.
> 
> eth0 is configured to my external IP, and eth1 is
> configured to an internal IP (exactly like the
> example
> by tom - it''s 192.168.2.1). I added one IP to the
> proxyarp file for testing purposes. The client
> machine
> has been set up following Tom''s how-to. The bummer
> part is when I try to ping the eth0 or eth1
> interface
> from the client machine, I get about 90% packetloss
> (unusable network *sniff*). Same goes when I ping
> the
> client machine from the firewall. So the packets are
> getting thru, but 90% goes to I-dunno-where.
> 
> Anybody have any clue? I''m stumped, and the beer I''m
> going to take after this won''t be of much help. ;( I
> hope someone can shed some light on this...
> 
> Beerfully yours,
> Ken.
> 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS'' NCAA March Madness,
> live on your desktop!
> http://platinum.yahoo.com
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS'' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com