RE: Linux ARP bridging issues
Hmm it seems this never made it to the list
---
Ross Halliday
Network Operations
WTC Communications
Office: 613-547-6939 x203
Helpdesk: 866-547-6939 option 2
http://www.wtccommunications.ca
> -----Original Message-----
> From: Ross Halliday
> Sent: Tuesday, August 31, 2010 11:48 AM
> To: 'debian-isp@lists.debian.org'
> Subject: Linux ARP bridging issues
>
> Hello folks,
>
> I realize this may be somewhat off-topic, but I'm an ISP, I use
Debian,
> and I know there are some very smart people reading this list :) I am
> hoping someone here will be in a similar situation or be more familiar
> with the involved technologies than I am.
>
> In the past few days I have been doing a lot of searching and head-
> scratching but am unable to really figure this out. I have an OpenVPN
> server set up for use of our network operations team that gives them
> direct access into a LAN. OpenVPN is configured in bridged mode and
> handing out unique IP addresses per user from client configuration
> files. The outward traffic flow looks something like this:
>
> Client TAP interface -> OpenVPN -> server tap0 -> br0 -> vlan9 ->
> physical network
>
> Up until sometime last week this thing ran absolutely fine. Now, all
of
> a sudden, ARP replies are not always being bridged back. I can see all
> the requests flowing out, and I can see the replies coming back into
> br0 but not appearing on tap0. Very rarely I've seen a reply make it
> through, sometimes after 10 seconds of ARP requests, sometimes after
10
> minutes, sometimes not even after half an hour. If I force an ARP
entry
> on the client things work fine.
>
> The server runs OpenVPN 2.1~rc11-1 on Debian Lenny 5.0.5 with stock
> kernel 2.6.26-2-amd64 in VMware 4.1. I have dumped all of my iptables
> rules, arptables and ebtables are clear, all policies set to ACCEPT.
> I've tried enabling kernel options like arp_proxy and ip_forward with
> no luck. The server does not and never has had an IP configured on the
> vlan9, br0, or tap0 interfaces. The VLAN interfaces are plain Ethernet
> interfaces renamed by udev and NOT 802.1q tagged sub-interfaces.
>
> To keep things sort of legible I've put my scrubbed configuration at
> the end of this message. Any assistance or insight would be very much
> appreciated. If anyone can suggest a better venue for this that would
> also be great.
>
> Thanks
> ---
> Ross Halliday
> Network Operations
> WTC Communications
>
> Office: 613-547-6939 x203
> Helpdesk: 866-547-6939 option 2
> http://www.wtccommunications.ca
>
>
>
> wtc-vpn:~# ifconfig
> br0 Link encap:Ethernet HWaddr 00:0c:29:46:f9:50
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:504255 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
>
> RX bytes:32318500 (30.8 MiB) TX bytes:0 (0.0 B)
> tap0 Link encap:Ethernet HWaddr 00:ff:d1:9f:78:48
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:8981 errors:0 dropped:0 overruns:0 frame:0
> TX packets:507870 errors:0 dropped:14 overruns:0 carrier:0
> collisions:0 txqueuelen:100
>
> RX bytes:786383 (767.9 KiB) TX bytes:39449734 (37.6 MiB)
> vlan30 Link encap:Ethernet HWaddr 00:0c:29:46:f9:64
> inet addr:[management IP] Bcast:[management bcast]
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:36656 errors:0 dropped:0 overruns:0 frame:0
> TX packets:23458 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:3488563 (3.3 MiB) TX bytes:17802838 (16.9 MiB)
>
> vlan9 Link encap:Ethernet HWaddr 00:0c:29:46:f9:50
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:9524463 errors:0 dropped:0 overruns:0 frame:0
> TX packets:8665 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:5372033640 (5.0 GiB) TX bytes:766629 (748.6 KiB)
>
> vlan81 Link encap:Ethernet HWaddr 00:0c:29:46:f9:5a
> inet addr:[public IP] Bcast:[public bcast]
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:167968 errors:0 dropped:0 overruns:0 frame:0
> TX packets:126983 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:11357700 (10.8 MiB) TX bytes:22022758 (21.0 MiB)
>
> wtc-vpn:~# brctl show
> bridge name bridge id STP enabled interfaces
> br0 8000.000c2946f950 no tap0
> vlan9
> wtc-vpn:~# brctl showmacs br0
> port no mac addr is local? ageing timer
> 1 00:02:b3:07:85:e0 no 224.01
> 1 00:04:27:0a:72:40 no 24.98
> 1 00:0a:b8:de:33:b2 no 1.92
> 1 00:0c:29:46:f9:50 yes 0.00
> 1 00:0c:29:b6:92:8e no 205.96
> 1 00:0f:1f:5b:51:46 no 1.24
> 1 00:11:11:4b:fc:fe no 137.85
> <snip>
> 1 00:50:56:ba:6a:87 no 32.87
> 1 00:50:56:ba:70:23 no 14.01
> 1 00:50:56:ba:7a:94 no 0.53
> 1 00:a0:c9:f6:77:37 no 4.78
> 1 00:c0:9f:ab:e6:92 no 76.87
> 1 00:c0:9f:d4:0e:8a no 14.18
> 1 00:e0:81:20:b7:ec no 0.03
> 1 00:ff:7f:b2:80:34 no 2.99
> 2 00:ff:d1:9f:78:48 yes 0.00
>
> wtc-vpn:/etc/openvpn# cat server.conf
>
> local [public IP]
> port 1194
> proto udp
> dev tap0
>
> ca /etc/openvpn/keys/ca.crt
> cert /etc/openvpn/keys/server.crt
> key /etc/openvpn/keys/server.key
> dh /etc/openvpn/keys/dh1024.pem
>
> management 127.0.0.1 905
> mode server
> tls-server
>
> push "route [public IP] 255.255.255.255 net_gateway"
> push "route-gateway [LAN gateway]"
> push "route [subnet 1] 255.255.255.0"
> push "route [subnet 2] 255.255.255.0"
> push "route [subnet 3] 255.255.255.0"
> push "route [subnet 4] 255.255.255.0"
> push "route [subnet 5] 255.255.255.0"
> push "route [subnet 6] 255.240.0.0"
> push "route [subnet 7] 255.255.255.192"
> push "dhcp-option DNS [LAN DNS 1]"
> push "dhcp-option DNS [LAN DNS 2]"
> push "dhcp-option DNS [LAN DNS 3]"
>
> script-security 2 system
> client-connect /etc/openvpn/ccs.sh
> client-disconnect /etc/openvpn/ccd.sh
> client-config-dir client-configs
> ccd-exclusive
> username-as-common-name
> keepalive 2 10
> reneg-sec 0
> tls-auth /etc/openvpn/keys/ta.key 0
> plugin /usr/lib/openvpn/openvpn-auth-pam.so login
> cipher AES-256-CBC
> comp-lzo
> max-clients 13
>
> user ovpn-user
> group ovpn-user
>
> persist-key
> persist-tun
>
> status openvpn-status.log
> log-append /var/log/openvpn.log
> verb 6
> mute 5
> mute-replay-warnings
Reply to: