Home Page Home Page
Home | Linux Administration | Corporate Services | Resources | About Us Support Center
Monthly Server Management One-time Server Services Other Services
Network Administration Network Monitoring Network Security High Availability Load Balancing Data Backup and Recovery
Linux HOWTOs Linux Guides Linux Articles New RFCs Vulnerability list Linux Journal
Testimonials Partners Careers Contact Us Site Map

[ Table Of Contents ] [ Front Page ] [ Previous Section ] [ Linux Gazette FAQ ] [ Next Section ]








The Answer Guy 51: ProxyARP

"The Linux Gazette...making Linux just a little more fun!"

(?) The Answer Guy (!)


By James T. Dennis, tag@lists.linuxgazette.net
LinuxCare, http://www.linuxcare.com/

(?) ProxyARP

From Jinquan Luo on Mon, 31 Jan 2000

Dear James,

I have been tring to set up Proxy ARP using the ARP commands in Linux (Red Hat 6.1), but they do not seem to work for me. I wonder if you would give me some advice as to how to fix the problem. Here is my problem.

I have a CISCO router that connects to the internet. From that ONE link comes into a hub. Two computers are connected to the hub. One of the computer is our bastion host which is our web server and mail host. The e-mail messages are immediately relayed to our internal network through the other computer, which is the firewall. So here is the setup:

The firewall has ip# xx.xx.xx.2, MAC 00:20:AF:A2:9E:58 The bastion host has xx.xx.xx.3

The Firewall has a second NIC which is connected to the internal network. So the e-mail also goes through it. Now The email received by the bastion host is forwarded to xx.xx.xx.149, which is a phony address. So I tried to arp .149 to the MAC of the firewall like:

arp -i eth0 xx.xx.xx.149 00:20:AF:A2:9E:58 pub.

(!) This command doesn't look quite right to me. Try something a bit more like:
arp -i eth0 -Ds ${NETWORK} eth1 netmask ${NETMASK} pub
This example is taken right out of the ProxyARP mini-HOWTO (*)
(NOTE: the 2.2.x kernel doesn't allow the netmask option. Apparently you must issue a separate command for each of the intended IP addresses you which to publish. I don't know what the state of this will be for version 2.4. I've copied one of my more expert associates; perhaps he'll jump in with more info).

(?) The command appears to work so the arp shows xx.xx.xx.149 MP eth0 as advertised. The firewall is functiong and does translate the .149 address into an internal number 192.168.1.52, which is our internal mail server. the problem is that if I ping xx.xx.xx.149 on the bastion host it show this: 

 $ ping mickey
 \PING mickey.tbc.com (xx.xx.xx.149): 56 data bytes


 --- mickey.xx.xx ping statistics ---
 3 packets transmitted, 0 packets received, 100% packet loss.

In another window I have 

 $ tcpdump -n arp
 12:33:06.979376 arp who-has xx.xx.xx.149 tell xx.xx.xx.3
 12:33:07.969471 arp who-has xx.xx.xx.149 tell xx.xx.xx.3
 12:33:08.969470 arp who-has xx.xx.xx.149 tell xx.xx.xx.3

 3 packets received by filter
 0 packets dropped by kernel.

This continues forever.

My Kernel routing table looks like this: 

bash# route -n
Kernel IP routing table
Destination  Gateway         Genmask         Flags Metric Ref  Use Iface
xx.xx.xx.3   0.0.0.0         255.255.255.255 UH    0      0    0   eth0
xx.xx.xx.0   0.0.0.0         255.255.255.0   U     0      0    0   eth0
127.0.0.0    0.0.0.0         255.0.0.0       U     0      0    0   lo
0.0.0.0      xx.xx.xx.1      0.0.0.0         UG    0      0    0   eth0

Apparently there is something missing in setup that ARP is not providing the right link_addr.

(!) The arp command doesn't affect your routing tables.

(?) When I added a static route such as: 

 route add -net xx.xx.xx.0 netmask 255.255.255.0 gw xx.xx.xx.2
(!) [where xx.xx.xx.2 is the firewall]

(?) then the tcpdump shows this : 12:40:52.120385 arp who-has xx.xx.xx.149 tell xx.xx.xx.2.

Apparently PROXY ARP is not working because it is not responding to requests.

(!) Try reading the ProxyARP mini-HOWTO and using a command that's closer to their example.
Yes, you do need to make sure that the routing table on the proxyarp host has entries for both subnets.

(?) I am really not sure what is wrong with my set-up. If you can spare a moment please take a look and give me some clues.

Thanks very much.
Jinquan

(!) If this doesn't help, draw up an ASCII art diagram to help me figure it out. It takes along time to guess what you mean based on this text. Be sure to include the routing tables on each of the routers (and proxyarp hosts) and a sample routing table from representative non-router hosts on each subnet.
Usually the process of creating this diagram will make your problem obvious.

[ There's a reasonable example of such art in another message this month, subject "Subnetting".
-- Heather. ]

Copyright © 2000, James T. Dennis
Published in The Linux Gazette Issue 51 March 2000
HTML transformation by Heather Stern of Tuxtops, Inc., http://www.tuxtops.com/

[ Answer Guy Current Index ] [ Index of Past Answers ] greetings 1 2 3 5
5 6 7 8 9
10 11 12 13 14 15 16 17
18 19 20 21 22
All logos, trademarks and content in this site are property of their respective owners. All else is © Copyright 2005-2012 n3v.net