Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] proxy-arp problems ...
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Fri, 7 Dec 2001 09:35:15 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56C8F@xxxxxxxxxxxxxxxxx>
> I'm trying to get my firewall to do proxy-arp on behalf of
> some 'virtual' ips.
>
> this is what the entries look like in my arp table:
> 10.0.0.19 ether 08:00:20:A5:04:26 C
> eth2
> 66.8.45.171 * * MP
> eth2
> 66.8.45.171 * * MP
> eth1
> 66.8.45.171 * * MP
> eth0
>
> When I try and connect to the ip 66.8.45.171, the firewall is
> asking who has arp 66.8.45.171.

I've succeeded with proxy-arp in the following setup:

Box 1
192.168.1.176/24
|
|
|
192.168.1.42/24 (eth0)
Linux router
192.168.1.18/28 (eth2)
|
|
192.168.1.17/28
Box 2

Box 1 doesn't know that 192.168.1/24 is split, its default router is *not*
the Linux router. Box 2 has the Linux router as its default gateway.

What I wanted to do was to be able to ping Box 2 from Box 1. Since Box 1
does not know that 192.168.1/24 is split, it expects Box 2 to be on the
locally attached network and will issue arp requests when it tries to send
IP packets to it. Therefore, the Linux router has to proxy-arp on behalf of
Box 2.

Here's what I did (entirely on the Linux router):
# echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

That was it. Then I pinged from Box 1 to Box 2 successfully. The ARP table
on Box 1 maps:
192.168.1.42 to 00:60:b0:cd:1c:16
192.168.1.17 to 00:60:b0:cd:1c:16

While on the Linux router, 192.168.1.17 has a different MAC address
associated with it.

I don't know what you're doing, so I can't tell where your mistake is.

Cheers
Tobias
< Previous Next >
Follow Ups