Hello all. Having a few troubles with ProxyARP - Despite being configured in what looks to be a correct manner, my server is not responding to incoming ARP queries. Take a look: One machine (external to this entire network) pinging 67.159.49.180, a client on my VPN interface, tun0: seeds:~# ping 67.159.49.180 PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data. [no responses] My firewall machine, which is configured to proxyarp traffic between eth0 and tun0 (see later for configs): root@serv [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst 67.159.49.180 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177 11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177 11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177 The output of ''arp -n'' on the firewall machine: root@serv [~]# arp -n Address HWtype HWaddress Flags Mask Iface 67.159.44.1 ether 00:D0:01:1E:50:0A C eth0 67.159.49.184 * * MP eth0 67.159.49.185 * * MP eth0 67.159.49.186 * * MP eth0 67.159.49.187 * * MP eth0 67.159.49.188 * * MP eth0 67.159.49.189 * * MP eth0 67.159.49.190 * * MP eth0 67.159.49.179 * * MP eth0 67.159.49.180 * * MP eth0 67.159.49.181 * * MP eth0 67.159.49.182 * * MP eth0 67.159.49.183 * * MP eth0 My ifconfig: root@serv [~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A inet addr:67.159.44.246 Bcast:67.159.44.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:60822 errors:0 dropped:0 overruns:0 frame:0 TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4747174 (4.5 MiB) TX bytes:623330 (608.7 KiB) Interrupt:169 Base address:0x6000 eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A inet addr:66.90.117.9 Bcast:66.90.117.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:169 Base address:0x6000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:116 errors:0 dropped:0 overruns:0 frame:0 TX packets:116 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:12509 (12.2 KiB) TX bytes:12509 (12.2 KiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:67.159.49.178 P-t-P:67.159.49.178 Mask:255.255.255.240 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) (tun0 is handing out IPs to clients as .179, .180, etc) I have been given a /28 by my ISP, giving me 13 usable IPs. I''ve handed all but one of these out to my clients on tun0 (except for .178, which I''m using for hosting DNS and other things the clients should use directly). Interestingly, the machine complaining about the lack of arp is 67.159.49.177, which is one off the beginning of my range. Perhaps related to the ''network'', ''router'', and ''broadcast addresses of my IP range? My proxyarp configuration: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT # 67.159.49.178 tun0 eth0 no # commented out for tun0 ip use 67.159.49.179 tun0 eth0 no 67.159.49.180 tun0 eth0 no 67.159.49.181 tun0 eth0 no 67.159.49.182 tun0 eth0 no 67.159.49.183 tun0 eth0 no 67.159.49.184 tun0 eth0 no 67.159.49.185 tun0 eth0 no 67.159.49.186 tun0 eth0 no 67.159.49.187 tun0 eth0 no 67.159.49.188 tun0 eth0 no 67.159.49.189 tun0 eth0 no 67.159.49.190 tun0 eth0 no #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Can anyone figure out why a previously working configuration (it worked fine last night!) would suddenly stop working? Why would my machine stop responding to arp requests? Have I broken something, or overlooked/misunderstood/misconfigured anything? Any and all help will be greatly appreciated. Thanks, Jan ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jan Mulders wrote:> Hello all. > > Having a few troubles with ProxyARP - Despite being configured in what > looks > to be a correct manner, my server is not responding to incoming ARP > queries. > Take a look: > > One machine (external to this entire network) pinging 67.159.49.180, a > client on my VPN interface, tun0: > seeds:~# ping 67.159.49.180 > PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data. > [no responses] > > My firewall machine, which is configured to proxyarp traffic between eth0 > and tun0 (see later for configs): > root@serv [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst > 67.159.49.180 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177 > 11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177 > 11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177 >>From where I am, I can ping 67.159.49.177 and .178 only> The output of ''arp -n'' on the firewall machine: > > root@serv [~]# arp -n > Address HWtype HWaddress Flags Mask > Iface > 67.159.44.1 ether 00:D0:01:1E:50:0A C > eth0 > 67.159.49.184 * * MP > eth0 > 67.159.49.185 * * MP > eth0 > 67.159.49.186 * * MP > eth0 > 67.159.49.187 * * MP > eth0 > 67.159.49.188 * * MP > eth0 > 67.159.49.189 * * MP > eth0 > 67.159.49.190 * * MP > eth0 > 67.159.49.179 * * MP > eth0 > 67.159.49.180 * * MP > eth0 > 67.159.49.181 * * MP > eth0 > 67.159.49.182 * * MP > eth0 > 67.159.49.183 * * MP > eth0Can you ping .177 from the firewall?> > My ifconfig: > > root@serv [~]# ifconfig > eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > inet addr:67.159.44.246 Bcast:67.159.44.255 Mask:255.255.255.0 > inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:60822 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:4747174 (4.5 MiB) TX bytes:623330 (608.7 KiB) > Interrupt:169 Base address:0x6000 > > eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > inet addr:66.90.117.9 Bcast:66.90.117.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > Interrupt:169 Base address:0x6000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:116 errors:0 dropped:0 overruns:0 frame:0 > TX packets:116 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:12509 (12.2 KiB) TX bytes:12509 (12.2 KiB) > > tun0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:67.159.49.178 P-t-P:67.159.49.178 Mask:255.255.255.240 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > (tun0 is handing out IPs to clients as .179, .180, etc) > > I have been given a /28 by my ISP, giving me 13 usable IPs. I''ve handed all > but one of these out to my clients on tun0 (except for .178, which I''m > using > for hosting DNS and other things the clients should use directly). > > Interestingly, the machine complaining about the lack of arp is > 67.159.49.177, which is one off the beginning of my range. Perhaps related > to the ''network'', ''router'', and ''broadcast addresses of my IP range? >What is .177? The router/gateway for the rest of the lan?> My proxyarp configuration: > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > # 67.159.49.178 tun0 eth0 no # commented out for tun0 ip use > 67.159.49.179 tun0 eth0 no > 67.159.49.180 tun0 eth0 no > 67.159.49.181 tun0 eth0 no > 67.159.49.182 tun0 eth0 no > 67.159.49.183 tun0 eth0 no > 67.159.49.184 tun0 eth0 no > 67.159.49.185 tun0 eth0 no > 67.159.49.186 tun0 eth0 no > 67.159.49.187 tun0 eth0 no > 67.159.49.188 tun0 eth0 no > 67.159.49.189 tun0 eth0 no > 67.159.49.190 tun0 eth0 no > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > Can anyone figure out why a previously working configuration (it worked > fine > last night!) would suddenly stop working? Why would my machine stop > responding to arp requests? Have I broken something, orarp cache maybe?> overlooked/misunderstood/misconfigured anything? > > Any and all help will be greatly appreciated.Maybe, need a better understanding of your layout. .180''s gateway is get to what? What does ip route ls look like? Better yet how about a dump? Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
I can''t ping .177... Perhaps it''s the broadcast address for my IP range: if another machine can''t find my mac address, it sends it to the broadcast address which spams it out over my subnet? root@serv [~]# ping 67.159.49.177 PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data. --- 67.159.49.177 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 4998ms 32/0.014 ms, pipe 2 I''ve tried flushing the arp cache on my machine, and I don''t think it''s an issue with my ISP (why would .177 be arping if it was cached?). My network diagram is along the lines of: [a bunch of computers] - each with IP address 67.159.49.179-190, connected via a vpn to tun0 | | [tun0 on my shorewall box] - 67.159.49.178 for convenience''s sake [shorewall with proxyarp between the two interfaces] [eth0 on my shorewall box] - 67.159.44.246 | [the wild internet] - where I''ve been assigned 44.246 for my server, and a range of 13 usable addresses - 49.178 to 49.190. Any bright ideas? Thanks for the reply. Jan On 10/06/07, Jerry Vonau <jvonau@shaw.ca> wrote:> > Jan Mulders wrote: > > Hello all. > > > > Having a few troubles with ProxyARP - Despite being configured in what > > looks > > to be a correct manner, my server is not responding to incoming ARP > > queries. > > Take a look: > > > > One machine (external to this entire network) pinging 67.159.49.180, a > > client on my VPN interface, tun0: > > seeds:~# ping 67.159.49.180 > > PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data. > > [no responses] > > > > My firewall machine, which is configured to proxyarp traffic between > eth0 > > and tun0 (see later for configs): > > root@serv [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst > > 67.159.49.180 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > > 11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177 > > 11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177 > > 11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177 > > > > >From where I am, I can ping 67.159.49.177 and .178 only > > > The output of ''arp -n'' on the firewall machine: > > > > root@serv [~]# arp -n > > Address HWtype HWaddress Flags Mask > > Iface > > 67.159.44.1 ether 00:D0:01:1E:50:0A C > > eth0 > > 67.159.49.184 * * MP > > eth0 > > 67.159.49.185 * * MP > > eth0 > > 67.159.49.186 * * MP > > eth0 > > 67.159.49.187 * * MP > > eth0 > > 67.159.49.188 * * MP > > eth0 > > 67.159.49.189 * * MP > > eth0 > > 67.159.49.190 * * MP > > eth0 > > 67.159.49.179 * * MP > > eth0 > > 67.159.49.180 * * MP > > eth0 > > 67.159.49.181 * * MP > > eth0 > > 67.159.49.182 * * MP > > eth0 > > 67.159.49.183 * * MP > > eth0 > > Can you ping .177 from the firewall? > > > > My ifconfig: > > > > root@serv [~]# ifconfig > > eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > > inet addr:67.159.44.246 Bcast:67.159.44.255 Mask: > 255.255.255.0 > > inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:60822 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:4747174 (4.5 MiB) TX bytes:623330 (608.7 KiB) > > Interrupt:169 Base address:0x6000 > > > > eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > > inet addr:66.90.117.9 Bcast:66.90.117.255 Mask:255.255.255.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > Interrupt:169 Base address:0x6000 > > > > lo Link encap:Local Loopback > > inet addr:127.0.0.1 Mask:255.0.0.0 > > inet6 addr: ::1/128 Scope:Host > > UP LOOPBACK RUNNING MTU:16436 Metric:1 > > RX packets:116 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:116 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:0 > > RX bytes:12509 (12.2 KiB) TX bytes:12509 (12.2 KiB) > > > > tun0 Link encap:UNSPEC HWaddr > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > > inet addr:67.159.49.178 P-t-P:67.159.49.178 Mask: > 255.255.255.240 > > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:100 > > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > > > (tun0 is handing out IPs to clients as .179, .180, etc) > > > > I have been given a /28 by my ISP, giving me 13 usable IPs. I''ve handed > all > > but one of these out to my clients on tun0 (except for .178, which I''m > > using > > for hosting DNS and other things the clients should use directly). > > > > Interestingly, the machine complaining about the lack of arp is > > 67.159.49.177, which is one off the beginning of my range. Perhaps > related > > to the ''network'', ''router'', and ''broadcast addresses of my IP range? > > > > What is .177? The router/gateway for the rest of the lan? > > > My proxyarp configuration: > > > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE > PERSISTENT > > # 67.159.49.178 tun0 eth0 no # commented out for tun0 ip use > > 67.159.49.179 tun0 eth0 no > > 67.159.49.180 tun0 eth0 no > > 67.159.49.181 tun0 eth0 no > > 67.159.49.182 tun0 eth0 no > > 67.159.49.183 tun0 eth0 no > > 67.159.49.184 tun0 eth0 no > > 67.159.49.185 tun0 eth0 no > > 67.159.49.186 tun0 eth0 no > > 67.159.49.187 tun0 eth0 no > > 67.159.49.188 tun0 eth0 no > > 67.159.49.189 tun0 eth0 no > > 67.159.49.190 tun0 eth0 no > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > Can anyone figure out why a previously working configuration (it worked > > fine > > last night!) would suddenly stop working? Why would my machine stop > > responding to arp requests? Have I broken something, or > > arp cache maybe? > > > overlooked/misunderstood/misconfigured anything? > > > > Any and all help will be greatly appreciated. > > Maybe, need a better understanding of your layout. > .180''s gateway is get to what? > What does ip route ls look like? Better yet how about a dump? > > Jerry > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Oh, forgot a route dump: root@serv [~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 67.159.49.182 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.183 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.180 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.181 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.179 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.190 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.188 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.189 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.186 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.187 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 66.90.117.9 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 67.159.49.184 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 67.159.49.185 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 66.90.117.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 67.159.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 67.159.44.1 0.0.0.0 UG 0 0 0 eth0 root@serv [~]# .80''s gateway should be .44.1 - the normal destination for my main eth0 IP (according to my isp). Thanks, Jan On 10/06/07, Jan Mulders <lastchancehotel@gmail.com> wrote:> > I can''t ping .177... Perhaps it''s the broadcast address for my IP range: > if another machine can''t find my mac address, it sends it to the broadcast > address which spams it out over my subnet? > > root@serv [~]# ping 67.159.49.177 > PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data. > > --- 67.159.49.177 ping statistics --- > 6 packets transmitted, 0 received, 100% packet loss, time 4998ms > > 32/0.014 ms, pipe 2 > > > I''ve tried flushing the arp cache on my machine, and I don''t think it''s an > issue with my ISP (why would .177 be arping if it was cached?). > > My network diagram is along the lines of: > > [a bunch of computers] - each with IP address 67.159.49.179-190, connected > via a vpn to tun0 > | > | > [tun0 on my shorewall box] - 67.159.49.178 for convenience''s sake > [shorewall with proxyarp between the two interfaces] > [eth0 on my shorewall box] - 67.159.44.246 > | > [the wild internet] - where I''ve been assigned 44.246 for my server, and a > range of 13 usable addresses - 49.178 to 49.190. > > Any bright ideas? > > Thanks for the reply. > > Jan > > > > On 10/06/07, Jerry Vonau <jvonau@shaw.ca> wrote: > > > > Jan Mulders wrote: > > > Hello all. > > > > > > Having a few troubles with ProxyARP - Despite being configured in what > > > looks > > > to be a correct manner, my server is not responding to incoming ARP > > > queries. > > > Take a look: > > > > > > One machine (external to this entire network) pinging 67.159.49.180, a > > > client on my VPN interface, tun0: > > > seeds:~# ping 67.159.49.180 > > > PING 67.159.49.180 (67.159.49.180) 56(84) bytes of data. > > > [no responses] > > > > > > My firewall machine, which is configured to proxyarp traffic between > > eth0 > > > and tun0 (see later for configs): > > > root@serv [/etc/openvpn]# tcpdump -i eth0 -n src 67.159.49.180 or dst > > > 67.159.49.180 > > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > > decode > > > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > > > 11:58:42.451208 arp who-has 67.159.49.180 tell 67.159.49.177 > > > 11:58:44.450829 arp who-has 67.159.49.180 tell 67.159.49.177 > > > 11:58:46.450709 arp who-has 67.159.49.180 tell 67.159.49.177 > > > > > > > >From where I am, I can ping 67.159.49.177 and .178 only > > > > > The output of ''arp -n'' on the firewall machine: > > > > > > root@serv [~]# arp -n > > > Address HWtype HWaddress Flags Mask > > > Iface > > > 67.159.44.1 ether 00:D0:01:1E:50:0A C > > > eth0 > > > 67.159.49.184 * * MP > > > eth0 > > > 67.159.49.185 * * MP > > > eth0 > > > 67.159.49.186 * * MP > > > eth0 > > > 67.159.49.187 * * MP > > > eth0 > > > 67.159.49.188 * * MP > > > eth0 > > > 67.159.49.189 * * MP > > > eth0 > > > 67.159.49.190 * * MP > > > eth0 > > > 67.159.49.179 * * MP > > > eth0 > > > 67.159.49.180 * * MP > > > eth0 > > > 67.159.49.181 * * MP > > > eth0 > > > 67.159.49.182 * * MP > > > eth0 > > > 67.159.49.183 * * MP > > > eth0 > > > > Can you ping .177 from the firewall? > > > > > > My ifconfig: > > > > > > root@serv [~]# ifconfig > > > eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > > > inet addr: 67.159.44.246 Bcast:67.159.44.255 Mask: > > 255.255.255.0 > > > inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link > > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > > RX packets:60822 errors:0 dropped:0 overruns:0 frame:0 > > > TX packets:3960 errors:0 dropped:0 overruns:0 carrier:0 > > > collisions:0 txqueuelen:1000 > > > RX bytes:4747174 ( 4.5 MiB) TX bytes:623330 (608.7 KiB) > > > Interrupt:169 Base address:0x6000 > > > > > > eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A > > > inet addr:66.90.117.9 Bcast:66.90.117.255 Mask: > > 255.255.255.0 > > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > > Interrupt:169 Base address:0x6000 > > > > > > lo Link encap:Local Loopback > > > inet addr:127.0.0.1 Mask:255.0.0.0 > > > inet6 addr: ::1/128 Scope:Host > > > UP LOOPBACK RUNNING MTU:16436 Metric:1 > > > RX packets:116 errors:0 dropped:0 overruns:0 frame:0 > > > TX packets:116 errors:0 dropped:0 overruns:0 carrier:0 > > > collisions:0 txqueuelen:0 > > > RX bytes:12509 (12.2 KiB) TX bytes:12509 (12.2 KiB) > > > > > > tun0 Link encap:UNSPEC HWaddr > > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > > > inet addr:67.159.49.178 P-t-P: 67.159.49.178 Mask: > > 255.255.255.240 > > > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > > > collisions:0 txqueuelen:100 > > > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > > > > > (tun0 is handing out IPs to clients as .179, .180, etc) > > > > > > I have been given a /28 by my ISP, giving me 13 usable IPs. I''ve > > handed all > > > but one of these out to my clients on tun0 (except for .178, which I''m > > > using > > > for hosting DNS and other things the clients should use directly). > > > > > > Interestingly, the machine complaining about the lack of arp is > > > 67.159.49.177, which is one off the beginning of my range. Perhaps > > related > > > to the ''network'', ''router'', and ''broadcast addresses of my IP range? > > > > > > > What is .177? The router/gateway for the rest of the lan? > > > > > My proxyarp configuration: > > > > > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE > > PERSISTENT > > > # 67.159.49.178 tun0 eth0 no # commented out for tun0 ip use > > > 67.159.49.179 tun0 eth0 no > > > 67.159.49.180 tun0 eth0 no > > > 67.159.49.181 tun0 eth0 no > > > 67.159.49.182 tun0 eth0 no > > > 67.159.49.183 tun0 eth0 no > > > 67.159.49.184 tun0 eth0 no > > > 67.159.49.185 tun0 eth0 no > > > 67.159.49.186 tun0 eth0 no > > > 67.159.49.187 tun0 eth0 no > > > 67.159.49.188 tun0 eth0 no > > > 67.159.49.189 tun0 eth0 no > > > 67.159.49.190 tun0 eth0 no > > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > > > Can anyone figure out why a previously working configuration (it > > worked > > > fine > > > last night!) would suddenly stop working? Why would my machine stop > > > responding to arp requests? Have I broken something, or > > > > arp cache maybe? > > > > > overlooked/misunderstood/misconfigured anything? > > > > > > Any and all help will be greatly appreciated. > > > > Maybe, need a better understanding of your layout. > > .180''s gateway is get to what? > > What does ip route ls look like? Better yet how about a dump? > > > > Jerry > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jan Mulders wrote:> Oh, forgot a route dump:I suspect that Jerry was asking for a ''shorewall dump''. I know that I won''t look at this problem until I have one in hand. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jan Mulders wrote:> I can''t ping .177... Perhaps it''s the broadcast address for my IP range: if > another machine can''t find my mac address, it sends it to the broadcast > address which spams it out over my subnet? >If I can ping .177 and you can''t, as a guess, it sounds like your missing a route to .177 (which is not in your route dump)> root@serv [~]# ping 67.159.49.177 > PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data. > > --- 67.159.49.177 ping statistics --- > 6 packets transmitted, 0 received, 100% packet loss, time 4998ms > > 32/0.014 ms, pipe 2 > > > I''ve tried flushing the arp cache on my machine, and I don''t think it''s an > issue with my ISP (why would .177 be arping if it was cached?). > > My network diagram is along the lines of: > > [a bunch of computers] - each with IP address 67.159.49.179-190, connected > via a vpn to tun0 > | > | > [tun0 on my shorewall box] - 67.159.49.178 for convenience''s sake > [shorewall with proxyarp between the two interfaces] > [eth0 on my shorewall box] - 67.159.44.246 > | > [the wild internet] - where I''ve been assigned 44.246 for my server, and a > range of 13 usable addresses - 49.178 to 49.190. >.177 is no one of them, it should be on your subnet: /sbin/shorewall ipcalc 67.159.49.177/28 CIDR=67.159.49.177/28 NETMASK=255.255.255.240 NETWORK=67.159.49.176 BROADCAST=67.159.49.191 Is that your isp''s router? If not, what would it be? A shorewall dump would be very useful here, and you may get others looking also. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
After noting your observations regarding a lack of being able to ping .177, I have successfully diagnosed that there was a missing route to this IP address (because I was using a /24 netmask for my tun0 interface). Some further investigation to try and obtain the right method of configuring this whole thing with my current ''proper'' range as pointed out by Jerry (Thanks Jerry!) resulted in it working perfectly. Here is my configuration, if anyone has the same problem in the future: root@serv [/etc/shorewall]# ifconfig eth0 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A inet addr:67.159.44.246 Bcast:67.159.44.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:fe77:854a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:267729 errors:0 dropped:0 overruns:0 frame:0 TX packets:70492 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:17932961 (17.1 MiB) TX bytes:14432200 (13.7 MiB) Interrupt:169 Base address:0x6000 eth0:1 Link encap:Ethernet HWaddr 00:E0:4C:77:85:4A inet addr:66.90.117.9 Bcast:66.90.117.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:169 Base address:0x6000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:116 errors:0 dropped:0 overruns:0 frame:0 TX packets:116 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:12521 (12.2 KiB) TX bytes:12521 (12.2 KiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:67.159.49.177 P-t-P:67.159.49.177 Mask:255.255.255.240 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:54 errors:0 dropped:0 overruns:0 frame:0 TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3188 (3.1 KiB) TX bytes:2400 (2.3 KiB) root@serv [/etc/shorewall]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 66.90.117.9 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 67.159.49.176 0.0.0.0 255.255.255.240 U 0 0 0 tun0 66.90.117.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 67.159.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 67.159.49.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 67.159.44.1 0.0.0.0 UG 0 0 0 eth0 I learned some more about routing and netmasks today, and about how not to take ISPs ip range assignments for granted - thank you Tom and Jerry (no pun intended)! Regards, Jan On 10/06/07, Jerry Vonau <jvonau@shaw.ca> wrote:> > Jan Mulders wrote: > > I can''t ping .177... Perhaps it''s the broadcast address for my IP range: > if > > another machine can''t find my mac address, it sends it to the broadcast > > address which spams it out over my subnet? > > > > If I can ping .177 and you can''t, as a guess, it sounds like your > missing a route to .177 (which is not in your route dump) > > > root@serv [~]# ping 67.159.49.177 > > PING 67.159.49.177 (67.159.49.177) 56(84) bytes of data. > > > > --- 67.159.49.177 ping statistics --- > > 6 packets transmitted, 0 received, 100% packet loss, time 4998ms > > > > 32/0.014 ms, pipe 2 > > > > > > I''ve tried flushing the arp cache on my machine, and I don''t think it''s > an > > issue with my ISP (why would .177 be arping if it was cached?). > > > > My network diagram is along the lines of: > > > > [a bunch of computers] - each with IP address 67.159.49.179-190, > connected > > via a vpn to tun0 > > | > > | > > [tun0 on my shorewall box] - 67.159.49.178 for convenience''s sake > > [shorewall with proxyarp between the two interfaces] > > [eth0 on my shorewall box] - 67.159.44.246 > > | > > [the wild internet] - where I''ve been assigned 44.246 for my server, and > a > > range of 13 usable addresses - 49.178 to 49.190. > > > .177 is no one of them, it should be on your subnet: > /sbin/shorewall ipcalc 67.159.49.177/28 > CIDR=67.159.49.177/28 > NETMASK=255.255.255.240 > NETWORK=67.159.49.176 > BROADCAST=67.159.49.191 > > Is that your isp''s router? If not, what would it be? > > A shorewall dump would be very useful here, and you may get others > looking also. > > Jerry > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jan Mulders wrote:> After noting your observations regarding a lack of being able to ping .177, > I have successfully diagnosed that there was a missing route to this IP > address (because I was using a /24 netmask for my tun0 interface). > > Some further investigation to try and obtain the right method of > configuring > this whole thing with my current ''proper'' range as pointed out by Jerry > (Thanks Jerry!) resulted in it working perfectly. ><snip>> I learned some more about routing and netmasks today, and about how not to > take ISPs ip range assignments for granted - thank you Tom and Jerry (no > pun > intended)! > > Regards, > > Jan > >Glad you got it working now, isn''t networking "fun"? Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/