Hi, I''ve got some trouble getting my proxy-arp setup going... The Firewall is a xen DomU with 3 Interfaces: eth0 => Lan (Bridge xenlan) eth1 => Net (Bridge xennet) eth2 => DMZ (Bridge xendmz) My problem is that connections to & from the dmz - across the firewall, do not work properly. i.e. a http request is received by the server, but the client doesn''t get the reply. It looks like the arp cache problem described in the documentation, but the MAC adresses in request&reply are correct... Is there any obvious error I made? Or can this problm be related to the xen bridgung? Thanks! Stephan
Stephan Wiedner wrote:> Hi, > > > I''ve got some trouble getting my proxy-arp setup going... > > The Firewall is a xen DomU with 3 Interfaces: > > eth0 => Lan (Bridge xenlan) > eth1 => Net (Bridge xennet) > eth2 => DMZ (Bridge xendmz) > > My problem is that connections to & from the dmz - across the firewall, > do not work properly. > i.e. a http request is received by the server, but the client doesn''t > get the reply. > > It looks like the arp cache problem described in the documentation, but > the MAC adresses in request&reply are correct... > > Is there any obvious error I made? Or can this problm be related to the > xen bridgung?It''s probably the well-known Xen checksum error problem. Look at the traffic with tcpdump using the -vv; do you see checksum errors on packets leaving the DMZ? If so, consult the archives of this list, the netfilter list and the Xen users list; this problem and the solution has been discussed extensively. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Am Donnerstag, den 27.04.2006, 06:53 -0700 schrieb Tom Eastep:> > My problem is that connections to & from the dmz - across the > firewall, > > do not work properly. > > i.e. a http request is received by the server, but the client > doesn''t > > get the reply. > > > > It looks like the arp cache problem described in the documentation, > but > > the MAC adresses in request&reply are correct... > > > > Is there any obvious error I made? Or can this problm be related to > the > > xen bridgung? > > It''s probably the well-known Xen checksum error problem. Look at the > traffic with tcpdump using the -vv; do you see checksum errors on > packets leaving the DMZ? If so, consult the archives of this list, the > netfilter list and the Xen users list; this problem and the solution > has > been discussed extensively. > > -TomHmmmm... I attached the output. All I see is ''tcp sum ok'' - no errors. The same on eth0... Stephan
Tom Eastep schrieb:> Stephan Wiedner wrote: > >> Hi, >> >> >> I''ve got some trouble getting my proxy-arp setup going... >> >> The Firewall is a xen DomU with 3 Interfaces: >> >> eth0 => Lan (Bridge xenlan) >> eth1 => Net (Bridge xennet) >> eth2 => DMZ (Bridge xendmz) >> >> My problem is that connections to & from the dmz - across the firewall, >> do not work properly. >> i.e. a http request is received by the server, but the client doesn''t >> get the reply. >> >> It looks like the arp cache problem described in the documentation, but >> the MAC adresses in request&reply are correct... >> >> Is there any obvious error I made? Or can this problm be related to the >> xen bridgung? >> > > It''s probably the well-known Xen checksum error problem. Look at the > traffic with tcpdump using the -vv; do you see checksum errors on > packets leaving the DMZ? If so, consult the archives of this list, the > netfilter list and the Xen users list; this problem and the solution has > been discussed extensively. > > -Tom >Hi Stephan and Tom, i solved my checksum problem with: ethtool -K eth0 tx off You have to set it on the both ends. Greetings Rainer ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Am Donnerstag, den 27.04.2006, 16:15 +0200 schrieb Stephan Wiedner:> > It''s probably the well-known Xen checksum error problem. Look at the > > traffic with tcpdump using the -vv; do you see checksum errors on > > packets leaving the DMZ? If so, consult the archives of this list, > the > > netfilter list and the Xen users list; this problem and the solution > > has > > been discussed extensively. > > > > -Tom > > > Hmmmm... I attached the output. All I see is ''tcp sum ok'' - no errors. > The same on eth0... > > StephanSeems I missed something! After issuing the ethtool command it works... Thanks! Stephan ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642