Hello all.
Having a few troubles with ProxyARP - Despite being configured in what looks
to be a correct manner, my server is not responding to incoming ARP queries.
Take a look:
One machine (external to this entire network) pinging 67.159.49.180, a
client on my VPN interface, tun0:
seeds:~# ping 67.159.49.180
PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data.
[no responses]
My firewall machine, which is configured to proxyarp traffic between eth0
and tun0 (see later for configs):
root@serv [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst
67.159.49.180
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177
11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177
11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177
The output of ''arp -n'' on the firewall machine:
root@serv [~]# arp -n
Address HWtype HWaddress Flags Mask
Iface
67.159.44.1 ether 00:D0:01:1E:50:0A C
eth0
67.159.49.184 * * MP
eth0
67.159.49.185 * * MP
eth0
67.159.49.186 * * MP
eth0
67.159.49.187 * * MP
eth0
67.159.49.188 * * MP
eth0
67.159.49.189 * * MP
eth0
67.159.49.190 * * MP
eth0
67.159.49.179 * * MP
eth0
67.159.49.180 * * MP
eth0
67.159.49.181 * * MP
eth0
67.159.49.182 * * MP
eth0
67.159.49.183 * * MP
eth0
My ifconfig:
root@serv [~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A
inet addr:67.159.44.246 Bcast:67.159.44.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60822 errors:0 dropped:0 overruns:0 frame:0
TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4747174 (4.5 MiB) TX bytes:623330 (608.7 KiB)
Interrupt:169 Base address:0x6000
eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A
inet addr:66.90.117.9 Bcast:66.90.117.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:169 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:116 errors:0 dropped:0 overruns:0 frame:0
TX packets:116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12509 (12.2 KiB) TX bytes:12509 (12.2 KiB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:67.159.49.178 P-t-P:67.159.49.178 Mask:255.255.255.240
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
(tun0 is handing out IPs to clients as .179, .180, etc)
I have been given a /28 by my ISP, giving me 13 usable IPs. I''ve handed
all
but one of these out to my clients on tun0 (except for .178, which I''m
using
for hosting DNS and other things the clients should use directly).
Interestingly, the machine complaining about the lack of arp is
67.159.49.177, which is one off the beginning of my range. Perhaps related
to the ''network'', ''router'', and
''broadcast addresses of my IP range?
My proxyarp configuration:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
# 67.159.49.178 tun0 eth0 no # commented out for tun0 ip use
67.159.49.179 tun0 eth0 no
67.159.49.180 tun0 eth0 no
67.159.49.181 tun0 eth0 no
67.159.49.182 tun0 eth0 no
67.159.49.183 tun0 eth0 no
67.159.49.184 tun0 eth0 no
67.159.49.185 tun0 eth0 no
67.159.49.186 tun0 eth0 no
67.159.49.187 tun0 eth0 no
67.159.49.188 tun0 eth0 no
67.159.49.189 tun0 eth0 no
67.159.49.190 tun0 eth0 no
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Can anyone figure out why a previously working configuration (it worked fine
last night!) would suddenly stop working? Why would my machine stop
responding to arp requests? Have I broken something, or
overlooked/misunderstood/misconfigured anything?
Any and all help will be greatly appreciated.
Thanks,
Jan
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Jan Mulders wrote:> Hello all. > > Having a few troubles with ProxyARP - Despite being configured in what > looks > to be a correct manner, my server is not responding to incoming ARP > queries. > Take a look: > > One machine (external to this entire network) pinging 67.159.49.180, a > client on my VPN interface, tun0: > seeds:~# ping 67.159.49.180 > PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data. > [no responses] > > My firewall machine, which is configured to proxyarp traffic between eth0 > and tun0 (see later for configs): > root@serv [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst > 67.159.49.180 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177 > 11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177 > 11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177 >>From where I am, I can ping 67.159.49.177 and .178 only> The output of ''arp -n'' on the firewall machine: > > root@serv [~]# arp -n > Address HWtype HWaddress Flags Mask > Iface > 67.159.44.1 ether 00:D0:01:1E:50:0A C > eth0 > 67.159.49.184 * * MP > eth0 > 67.159.49.185 * * MP > eth0 > 67.159.49.186 * * MP > eth0 > 67.159.49.187 * * MP > eth0 > 67.159.49.188 * * MP > eth0 > 67.159.49.189 * * MP > eth0 > 67.159.49.190 * * MP > eth0 > 67.159.49.179 * * MP > eth0 > 67.159.49.180 * * MP > eth0 > 67.159.49.181 * * MP > eth0 > 67.159.49.182 * * MP > eth0 > 67.159.49.183 * * MP > eth0Can you ping .177 from the firewall?> > My ifconfig: > > root@serv [~]# ifconfig > eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > inet addr:67.159.44.246 Bcast:67.159.44.255 Mask:255.255.255.0 > inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:60822 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:4747174 (4.5 MiB) TX bytes:623330 (608.7 KiB) > Interrupt:169 Base address:0x6000 > > eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > inet addr:66.90.117.9 Bcast:66.90.117.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > Interrupt:169 Base address:0x6000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:116 errors:0 dropped:0 overruns:0 frame:0 > TX packets:116 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:12509 (12.2 KiB) TX bytes:12509 (12.2 KiB) > > tun0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:67.159.49.178 P-t-P:67.159.49.178 Mask:255.255.255.240 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > (tun0 is handing out IPs to clients as .179, .180, etc) > > I have been given a /28 by my ISP, giving me 13 usable IPs. I''ve handed all > but one of these out to my clients on tun0 (except for .178, which I''m > using > for hosting DNS and other things the clients should use directly). > > Interestingly, the machine complaining about the lack of arp is > 67.159.49.177, which is one off the beginning of my range. Perhaps related > to the ''network'', ''router'', and ''broadcast addresses of my IP range? >What is .177? The router/gateway for the rest of the lan?> My proxyarp configuration: > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > # 67.159.49.178 tun0 eth0 no # commented out for tun0 ip use > 67.159.49.179 tun0 eth0 no > 67.159.49.180 tun0 eth0 no > 67.159.49.181 tun0 eth0 no > 67.159.49.182 tun0 eth0 no > 67.159.49.183 tun0 eth0 no > 67.159.49.184 tun0 eth0 no > 67.159.49.185 tun0 eth0 no > 67.159.49.186 tun0 eth0 no > 67.159.49.187 tun0 eth0 no > 67.159.49.188 tun0 eth0 no > 67.159.49.189 tun0 eth0 no > 67.159.49.190 tun0 eth0 no > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > Can anyone figure out why a previously working configuration (it worked > fine > last night!) would suddenly stop working? Why would my machine stop > responding to arp requests? Have I broken something, orarp cache maybe?> overlooked/misunderstood/misconfigured anything? > > Any and all help will be greatly appreciated.Maybe, need a better understanding of your layout. .180''s gateway is get to what? What does ip route ls look like? Better yet how about a dump? Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
I can''t ping .177... Perhaps it''s the broadcast address for my
IP range: if
another machine can''t find my mac address, it sends it to the broadcast
address which spams it out over my subnet?
root@serv [~]# ping 67.159.49.177
PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data.
--- 67.159.49.177 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 4998ms
32/0.014 ms, pipe 2
I''ve tried flushing the arp cache on my machine, and I don''t
think it''s an
issue with my ISP (why would .177 be arping if it was cached?).
My network diagram is along the lines of:
[a bunch of computers] - each with IP address 67.159.49.179-190, connected
via a vpn to tun0
|
|
[tun0 on my shorewall box] - 67.159.49.178 for convenience''s sake
[shorewall with proxyarp between the two interfaces]
[eth0 on my shorewall box] - 67.159.44.246
|
[the wild internet] - where I''ve been assigned 44.246 for my server,
and a
range of 13 usable addresses - 49.178 to 49.190.
Any bright ideas?
Thanks for the reply.
Jan
On 10/06/07, Jerry Vonau <jvonau@shaw.ca> wrote:>
> Jan Mulders wrote:
> > Hello all.
> >
> > Having a few troubles with ProxyARP - Despite being configured in what
> > looks
> > to be a correct manner, my server is not responding to incoming ARP
> > queries.
> > Take a look:
> >
> > One machine (external to this entire network) pinging 67.159.49.180, a
> > client on my VPN interface, tun0:
> > seeds:~# ping 67.159.49.180
> > PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data.
> > [no responses]
> >
> > My firewall machine, which is configured to proxyarp traffic between
> eth0
> > and tun0 (see later for configs):
> > root@serv [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst
> > 67.159.49.180
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> > 11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177
> > 11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177
> > 11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177
> >
>
> >From where I am, I can ping 67.159.49.177 and .178 only
>
> > The output of ''arp -n'' on the firewall machine:
> >
> > root@serv [~]# arp -n
> > Address HWtype HWaddress Flags Mask
> > Iface
> > 67.159.44.1 ether 00:D0:01:1E:50:0A C
> > eth0
> > 67.159.49.184 * * MP
> > eth0
> > 67.159.49.185 * * MP
> > eth0
> > 67.159.49.186 * * MP
> > eth0
> > 67.159.49.187 * * MP
> > eth0
> > 67.159.49.188 * * MP
> > eth0
> > 67.159.49.189 * * MP
> > eth0
> > 67.159.49.190 * * MP
> > eth0
> > 67.159.49.179 * * MP
> > eth0
> > 67.159.49.180 * * MP
> > eth0
> > 67.159.49.181 * * MP
> > eth0
> > 67.159.49.182 * * MP
> > eth0
> > 67.159.49.183 * * MP
> > eth0
>
> Can you ping .177 from the firewall?
> >
> > My ifconfig:
> >
> > root@serv [~]# ifconfig
> > eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A
> > inet addr:67.159.44.246 Bcast:67.159.44.255 Mask:
> 255.255.255.0
> > inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:60822 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1000
> > RX bytes:4747174 (4.5 MiB) TX bytes:623330 (608.7 KiB)
> > Interrupt:169 Base address:0x6000
> >
> > eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A
> > inet addr:66.90.117.9 Bcast:66.90.117.255
Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > Interrupt:169 Base address:0x6000
> >
> > lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > inet6 addr: ::1/128 Scope:Host
> > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > RX packets:116 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:116 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:12509 (12.2 KiB) TX bytes:12509 (12.2 KiB)
> >
> > tun0 Link encap:UNSPEC HWaddr
> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> > inet addr:67.159.49.178 P-t-P:67.159.49.178 Mask:
> 255.255.255.240
> > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> >
> > (tun0 is handing out IPs to clients as .179, .180, etc)
> >
> > I have been given a /28 by my ISP, giving me 13 usable IPs.
I''ve handed
> all
> > but one of these out to my clients on tun0 (except for .178, which
I''m
> > using
> > for hosting DNS and other things the clients should use directly).
> >
> > Interestingly, the machine complaining about the lack of arp is
> > 67.159.49.177, which is one off the beginning of my range. Perhaps
> related
> > to the ''network'', ''router'', and
''broadcast addresses of my IP range?
> >
>
> What is .177? The router/gateway for the rest of the lan?
>
> > My proxyarp configuration:
> >
> > #ADDRESS INTERFACE EXTERNAL HAVEROUTE
> PERSISTENT
> > # 67.159.49.178 tun0 eth0 no # commented out for tun0 ip use
> > 67.159.49.179 tun0 eth0 no
> > 67.159.49.180 tun0 eth0 no
> > 67.159.49.181 tun0 eth0 no
> > 67.159.49.182 tun0 eth0 no
> > 67.159.49.183 tun0 eth0 no
> > 67.159.49.184 tun0 eth0 no
> > 67.159.49.185 tun0 eth0 no
> > 67.159.49.186 tun0 eth0 no
> > 67.159.49.187 tun0 eth0 no
> > 67.159.49.188 tun0 eth0 no
> > 67.159.49.189 tun0 eth0 no
> > 67.159.49.190 tun0 eth0 no
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> >
> > Can anyone figure out why a previously working configuration (it
worked
> > fine
> > last night!) would suddenly stop working? Why would my machine stop
> > responding to arp requests? Have I broken something, or
>
> arp cache maybe?
>
> > overlooked/misunderstood/misconfigured anything?
> >
> > Any and all help will be greatly appreciated.
>
> Maybe, need a better understanding of your layout.
> .180''s gateway is get to what?
> What does ip route ls look like? Better yet how about a dump?
>
> Jerry
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Oh, forgot a route dump: root@serv [~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 67.159.49.182 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.183 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.180 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.181 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.179 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.190 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.188 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.189 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.186 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.187 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 66.90.117.9 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 67.159.49.184 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.185 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 66.90.117.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 67.159.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 67.159.44.1 0.0.0.0 UG 0 0 0 eth0 root@serv [~]# .80''s gateway should be .44.1 - the normal destination for my main eth0 IP (according to my isp). Thanks, Jan On 10/06/07, Jan Mulders <lastchancehotel@gmail.com> wrote:> > I can''t ping .177... Perhaps it''s the broadcast address for my IP range: > if another machine can''t find my mac address, it sends it to the broadcast > address which spams it out over my subnet? > > root@serv [~]# ping 67.159.49.177 > PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data. > > --- 67.159.49.177 ping statistics --- > 6 packets transmitted, 0 received, 100% packet loss, time 4998ms > > 32/0.014 ms, pipe 2 > > > I''ve tried flushing the arp cache on my machine, and I don''t think it''s an > issue with my ISP (why would .177 be arping if it was cached?). > > My network diagram is along the lines of: > > [a bunch of computers] - each with IP address 67.159.49.179-190, connected > via a vpn to tun0 > | > | > [tun0 on my shorewall box] - 67.159.49.178 for convenience''s sake > [shorewall with proxyarp between the two interfaces] > [eth0 on my shorewall box] - 67.159.44.246 > | > [the wild internet] - where I''ve been assigned 44.246 for my server, and a > range of 13 usable addresses - 49.178 to 49.190. > > Any bright ideas? > > Thanks for the reply. > > Jan > > > > On 10/06/07, Jerry Vonau <jvonau@shaw.ca> wrote: > > > > Jan Mulders wrote: > > > Hello all. > > > > > > Having a few troubles with ProxyARP - Despite being configured in what > > > looks > > > to be a correct manner, my server is not responding to incoming ARP > > > queries. > > > Take a look: > > > > > > One machine (external to this entire network) pinging 67.159.49.180, a > > > client on my VPN interface, tun0: > > > seeds:~# ping 67.159.49.180 > > > PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data. > > > [no responses] > > > > > > My firewall machine, which is configured to proxyarp traffic between > > eth0 > > > and tun0 (see later for configs): > > > root@serv [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst > > > 67.159.49.180 > > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > > decode > > > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > > > 11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177 > > > 11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177 > > > 11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177 > > > > > > > >From where I am, I can ping 67.159.49.177 and .178 only > > > > > The output of ''arp -n'' on the firewall machine: > > > > > > root@serv [~]# arp -n > > > Address HWtype HWaddress Flags Mask > > > Iface > > > 67.159.44.1 ether 00:D0:01:1E:50:0A C > > > eth0 > > > 67.159.49.184 * * MP > > > eth0 > > > 67.159.49.185 * * MP > > > eth0 > > > 67.159.49.186 * * MP > > > eth0 > > > 67.159.49.187 * * MP > > > eth0 > > > 67.159.49.188 * * MP > > > eth0 > > > 67.159.49.189 * * MP > > > eth0 > > > 67.159.49.190 * * MP > > > eth0 > > > 67.159.49.179 * * MP > > > eth0 > > > 67.159.49.180 * * MP > > > eth0 > > > 67.159.49.181 * * MP > > > eth0 > > > 67.159.49.182 * * MP > > > eth0 > > > 67.159.49.183 * * MP > > > eth0 > > > > Can you ping .177 from the firewall? > > > > > > My ifconfig: > > > > > > root@serv [~]# ifconfig > > > eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > > > inet addr: 67.159.44.246 Bcast:67.159.44.255 Mask: > > 255.255.255.0 > > > inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link > > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > > RX packets:60822 errors:0 dropped:0 overruns:0 frame:0 > > > TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0 > > > collisions:0 txqueuelen:1000 > > > RX bytes:4747174 ( 4.5 MiB) TX bytes:623330 (608.7 KiB) > > > Interrupt:169 Base address:0x6000 > > > > > > eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > > > inet addr:66.90.117.9 Bcast:66.90.117.255 Mask: > > 255.255.255.0 > > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > > Interrupt:169 Base address:0x6000 > > > > > > lo Link encap:Local Loopback > > > inet addr:127.0.0.1 Mask:255.0.0.0 > > > inet6 addr: ::1/128 Scope:Host > > > UP LOOPBACK RUNNING MTU:16436 Metric:1 > > > RX packets:116 errors:0 dropped:0 overruns:0 frame:0 > > > TX packets:116 errors:0 dropped:0 overruns:0 carrier:0 > > > collisions:0 txqueuelen:0 > > > RX bytes:12509 (12.2 KiB) TX bytes:12509 (12.2 KiB) > > > > > > tun0 Link encap:UNSPEC HWaddr > > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > > > inet addr:67.159.49.178 P-t-P: 67.159.49.178 Mask: > > 255.255.255.240 > > > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > > > collisions:0 txqueuelen:100 > > > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > > > > > (tun0 is handing out IPs to clients as .179, .180, etc) > > > > > > I have been given a /28 by my ISP, giving me 13 usable IPs. I''ve > > handed all > > > but one of these out to my clients on tun0 (except for .178, which I''m > > > using > > > for hosting DNS and other things the clients should use directly). > > > > > > Interestingly, the machine complaining about the lack of arp is > > > 67.159.49.177, which is one off the beginning of my range. Perhaps > > related > > > to the ''network'', ''router'', and ''broadcast addresses of my IP range? > > > > > > > What is .177? The router/gateway for the rest of the lan? > > > > > My proxyarp configuration: > > > > > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE > > PERSISTENT > > > # 67.159.49.178 tun0 eth0 no # commented out for tun0 ip use > > > 67.159.49.179 tun0 eth0 no > > > 67.159.49.180 tun0 eth0 no > > > 67.159.49.181 tun0 eth0 no > > > 67.159.49.182 tun0 eth0 no > > > 67.159.49.183 tun0 eth0 no > > > 67.159.49.184 tun0 eth0 no > > > 67.159.49.185 tun0 eth0 no > > > 67.159.49.186 tun0 eth0 no > > > 67.159.49.187 tun0 eth0 no > > > 67.159.49.188 tun0 eth0 no > > > 67.159.49.189 tun0 eth0 no > > > 67.159.49.190 tun0 eth0 no > > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > > > Can anyone figure out why a previously working configuration (it > > worked > > > fine > > > last night!) would suddenly stop working? Why would my machine stop > > > responding to arp requests? Have I broken something, or > > > > arp cache maybe? > > > > > overlooked/misunderstood/misconfigured anything? > > > > > > Any and all help will be greatly appreciated. > > > > Maybe, need a better understanding of your layout. > > .180''s gateway is get to what? > > What does ip route ls look like? Better yet how about a dump? > > > > Jerry > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jan Mulders wrote:> Oh, forgot a route dump:I suspect that Jerry was asking for a ''shorewall dump''. I know that I won''t look at this problem until I have one in hand. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jan Mulders wrote:> I can''t ping .177... Perhaps it''s the broadcast address for my IP range: if > another machine can''t find my mac address, it sends it to the broadcast > address which spams it out over my subnet? >If I can ping .177 and you can''t, as a guess, it sounds like your missing a route to .177 (which is not in your route dump)> root@serv [~]# ping 67.159.49.177 > PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data. > > --- 67.159.49.177 ping statistics --- > 6 packets transmitted, 0 received, 100% packet loss, time 4998ms > > 32/0.014 ms, pipe 2 > > > I''ve tried flushing the arp cache on my machine, and I don''t think it''s an > issue with my ISP (why would .177 be arping if it was cached?). > > My network diagram is along the lines of: > > [a bunch of computers] - each with IP address 67.159.49.179-190, connected > via a vpn to tun0 > | > | > [tun0 on my shorewall box] - 67.159.49.178 for convenience''s sake > [shorewall with proxyarp between the two interfaces] > [eth0 on my shorewall box] - 67.159.44.246 > | > [the wild internet] - where I''ve been assigned 44.246 for my server, and a > range of 13 usable addresses - 49.178 to 49.190. >.177 is no one of them, it should be on your subnet: /sbin/shorewall ipcalc 67.159.49.177/28 CIDR=67.159.49.177/28 NETMASK=255.255.255.240 NETWORK=67.159.49.176 BROADCAST=67.159.49.191 Is that your isp''s router? If not, what would it be? A shorewall dump would be very useful here, and you may get others looking also. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
After noting your observations regarding a lack of being able to ping .177,
I have successfully diagnosed that there was a missing route to this IP
address (because I was using a /24 netmask for my tun0 interface).
Some further investigation to try and obtain the right method of configuring
this whole thing with my current ''proper'' range as pointed out
by Jerry
(Thanks Jerry!) resulted in it working perfectly.
Here is my configuration, if anyone has the same problem in the future:
root@serv [/etc/shorewall]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A
inet addr:67.159.44.246 Bcast:67.159.44.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:267729 errors:0 dropped:0 overruns:0 frame:0
TX packets:70492 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17932961 (17.1 MiB) TX bytes:14432200 (13.7 MiB)
Interrupt:169 Base address:0x6000
eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A
inet addr:66.90.117.9 Bcast:66.90.117.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:169 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:116 errors:0 dropped:0 overruns:0 frame:0
TX packets:116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12521 (12.2 KiB) TX bytes:12521 (12.2 KiB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:67.159.49.177 P-t-P:67.159.49.177 Mask:255.255.255.240
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:54 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3188 (3.1 KiB) TX bytes:2400 (2.3 KiB)
root@serv [/etc/shorewall]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
66.90.117.9 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
67.159.49.176 0.0.0.0 255.255.255.240 U 0 0 0 tun0
66.90.117.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
67.159.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
67.159.49.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 67.159.44.1 0.0.0.0 UG 0 0 0 eth0
I learned some more about routing and netmasks today, and about how not to
take ISPs ip range assignments for granted - thank you Tom and Jerry (no pun
intended)!
Regards,
Jan
On 10/06/07, Jerry Vonau <jvonau@shaw.ca> wrote:>
> Jan Mulders wrote:
> > I can''t ping .177... Perhaps it''s the broadcast
address for my IP range:
> if
> > another machine can''t find my mac address, it sends it to the
broadcast
> > address which spams it out over my subnet?
> >
>
> If I can ping .177 and you can''t, as a guess, it sounds like your
> missing a route to .177 (which is not in your route dump)
>
> > root@serv [~]# ping 67.159.49.177
> > PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data.
> >
> > --- 67.159.49.177 ping statistics ---
> > 6 packets transmitted, 0 received, 100% packet loss, time 4998ms
> >
> > 32/0.014 ms, pipe 2
> >
> >
> > I''ve tried flushing the arp cache on my machine, and I
don''t think it''s
> an
> > issue with my ISP (why would .177 be arping if it was cached?).
> >
> > My network diagram is along the lines of:
> >
> > [a bunch of computers] - each with IP address 67.159.49.179-190,
> connected
> > via a vpn to tun0
> > |
> > |
> > [tun0 on my shorewall box] - 67.159.49.178 for convenience''s
sake
> > [shorewall with proxyarp between the two interfaces]
> > [eth0 on my shorewall box] - 67.159.44.246
> > |
> > [the wild internet] - where I''ve been assigned 44.246 for my
server, and
> a
> > range of 13 usable addresses - 49.178 to 49.190.
> >
> .177 is no one of them, it should be on your subnet:
> /sbin/shorewall ipcalc 67.159.49.177/28
> CIDR=67.159.49.177/28
> NETMASK=255.255.255.240
> NETWORK=67.159.49.176
> BROADCAST=67.159.49.191
>
> Is that your isp''s router? If not, what would it be?
>
> A shorewall dump would be very useful here, and you may get others
> looking also.
>
> Jerry
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Jan Mulders wrote:> After noting your observations regarding a lack of being able to ping .177, > I have successfully diagnosed that there was a missing route to this IP > address (because I was using a /24 netmask for my tun0 interface). > > Some further investigation to try and obtain the right method of > configuring > this whole thing with my current ''proper'' range as pointed out by Jerry > (Thanks Jerry!) resulted in it working perfectly. ><snip>> I learned some more about routing and netmasks today, and about how not to > take ISPs ip range assignments for granted - thank you Tom and Jerry (no > pun > intended)! > > Regards, > > Jan > >Glad you got it working now, isn''t networking "fun"? Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/