[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Problem with proxy arp in debian sarge kernel 2.6.x

Hello!

I have a problem with proxy arp that I just can't figure out.
We are running a network for about 300 apartments and have to NAT the outgoing traffic from our internal network. We also have a couple of servers in a DMZ, which is not NATed. Apart from routing, the machine is also doing ip-filtering, and traffic shaping. 
The topology looks something like:

outside<--->linux-based-router<-->internal NATed network
                \----->DMZ
The machines in the DMZ are in the same subnet as the external interface of the router. With proxy arps for the machines in the DMZ this has worked well for a couple of years. The router machine, running kernel 2.4.28, has however become old and we decided to get new hardware. We decided to run debian sarge on the new machine.
When I did some "preproduction" testing of the new router I noticed that proxy arp didn't function, and I can't figure out why. I have tested proxy arp on 2 different machined running debian sarge and kernel 2.6.x, but it does not work on any of them. 

The *test* setup is as follows:
* the test-setup of the network looks like:
"outside"<---->eth1:192.168.12.209/24[Test-setup-of-router]eth0:10.200.150.1/24<----->10.200.150.150/24[just-a-machine]
* kernel 2.6.13-vs2.0.1-pre2-686 (not a std debian kernel) on one of the test machines and kernel 2.6.12-1-amd64-generic on another other. 
* /proc/sys/net/ipv4/ip_forward is set to 1.
* I've tested with /proc/sys/net/ipv4/conf/*/proxy_arp set to 1 as well as 0. 
* Forwarding works fine.
* The network in the test setup is configured with route:
10.200.150.0 eth0
192.168.12.0 eth1
0.0.0.0 gw 192.168.12.254 eth1
and the network works fine.
* In the test setup I try to add a proxy arp for 192.168.12.211 on eth1 with: 
arp -i eth1 -s 192.168.12.211 00:01:02:03:04:05 pub
* To test the setup I've added
iptables -t nat -I PREROUTING 1 -d 192.168.12.211 -j DNAT --to-destination 10.200.150.150 
and
iptables -I FORWARD 1 -d 10.200.150.150 -j ACCEPT
Trying to reach 192.168.12.211 from a machine on the eth1 (the "outside") net ends with an error message stating that there is no route. 

tcpdump on the test machine:
tcpdump -i eth1 host 192.168.12.211
23:36:03.180749 arp who-has 192.168.12.211 tell 192.168.12.254
etc

tcpdump on the 10.200.150.150 returns nothing.

Thus no proxy arp =-(
What am I missing?

Can anyone help me please.

Erik Persson.
Reply to: