RE: Linux ARP bridging issues

To: <debian-isp@lists.debian.org>
Subject: RE: Linux ARP bridging issues
From: "Ross Halliday" <ross@wtccommunications.ca>
Date: Fri, 3 Sep 2010 12:14:05 -0400
Message-id: <[🔎] 151BC03492E46E4CB8D479E42CEF78900119DE28@exchange.wtc.local>
Hmm it seems this never made it to the list

---
Ross Halliday
Network Operations
WTC Communications

Office: 613-547-6939 x203
Helpdesk: 866-547-6939 option 2
http://www.wtccommunications.ca

> -----Original Message-----
> From: Ross Halliday
> Sent: Tuesday, August 31, 2010 11:48 AM
> To: 'debian-isp@lists.debian.org'
> Subject: Linux ARP bridging issues
> 
> Hello folks,
> 
> I realize this may be somewhat off-topic, but I'm an ISP, I use
Debian,
> and I know there are some very smart people reading this list :) I am
> hoping someone here will be in a similar situation or be more familiar
> with the involved technologies than I am.
> 
> In the past few days I have been doing a lot of searching and head-
> scratching but am unable to really figure this out. I have an OpenVPN
> server set up for use of our network operations team that gives them
> direct access into a LAN. OpenVPN is configured in bridged mode and
> handing out unique IP addresses per user from client configuration
> files. The outward traffic flow looks something like this:
> 
> Client TAP interface -> OpenVPN -> server tap0 -> br0 -> vlan9 ->
> physical network
> 
> Up until sometime last week this thing ran absolutely fine. Now, all
of
> a sudden, ARP replies are not always being bridged back. I can see all
> the requests flowing out, and I can see the replies coming back into
> br0 but not appearing on tap0. Very rarely I've seen a reply make it
> through, sometimes after 10 seconds of ARP requests, sometimes after
10
> minutes, sometimes not even after half an hour. If I force an ARP
entry
> on the client things work fine.
> 
> The server runs OpenVPN 2.1~rc11-1 on Debian Lenny 5.0.5 with stock
> kernel 2.6.26-2-amd64 in VMware 4.1. I have dumped all of my iptables
> rules, arptables and ebtables are clear, all policies set to ACCEPT.
> I've tried enabling kernel options like arp_proxy and ip_forward with
> no luck. The server does not and never has had an IP configured on the
> vlan9, br0, or tap0 interfaces. The VLAN interfaces are plain Ethernet
> interfaces renamed by udev and NOT 802.1q tagged sub-interfaces.
> 
> To keep things sort of legible I've put my scrubbed configuration at
> the end of this message. Any assistance or insight would be very much
> appreciated. If anyone can suggest a better venue for this that would
> also be great.
> 
> Thanks
> ---
> Ross Halliday
> Network Operations
> WTC Communications
> 
> Office: 613-547-6939 x203
> Helpdesk: 866-547-6939 option 2
> http://www.wtccommunications.ca
> 
> 
> 
> wtc-vpn:~# ifconfig
> br0       Link encap:Ethernet  HWaddr 00:0c:29:46:f9:50
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:504255 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
> 
>           RX bytes:32318500 (30.8 MiB)  TX bytes:0 (0.0 B)
> tap0      Link encap:Ethernet  HWaddr 00:ff:d1:9f:78:48
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:8981 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:507870 errors:0 dropped:14 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
> 
>           RX bytes:786383 (767.9 KiB)  TX bytes:39449734 (37.6 MiB)
> vlan30    Link encap:Ethernet  HWaddr 00:0c:29:46:f9:64
>           inet addr:[management IP]  Bcast:[management bcast]
> Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:36656 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:23458 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:3488563 (3.3 MiB)  TX bytes:17802838 (16.9 MiB)
> 
> vlan9     Link encap:Ethernet  HWaddr 00:0c:29:46:f9:50
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:9524463 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:8665 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:5372033640 (5.0 GiB)  TX bytes:766629 (748.6 KiB)
> 
> vlan81    Link encap:Ethernet  HWaddr 00:0c:29:46:f9:5a
>           inet addr:[public IP] Bcast:[public bcast]
> Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:167968 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:126983 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:11357700 (10.8 MiB)  TX bytes:22022758 (21.0 MiB)
> 
> wtc-vpn:~# brctl show
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.000c2946f950       no              tap0
>                                                         vlan9
> wtc-vpn:~# brctl showmacs br0
> port no mac addr                is local?       ageing timer
>   1     00:02:b3:07:85:e0       no               224.01
>   1     00:04:27:0a:72:40       no                24.98
>   1     00:0a:b8:de:33:b2       no                 1.92
>   1     00:0c:29:46:f9:50       yes                0.00
>   1     00:0c:29:b6:92:8e       no               205.96
>   1     00:0f:1f:5b:51:46       no                 1.24
>   1     00:11:11:4b:fc:fe       no               137.85
> <snip>
>   1     00:50:56:ba:6a:87       no                32.87
>   1     00:50:56:ba:70:23       no                14.01
>   1     00:50:56:ba:7a:94       no                 0.53
>   1     00:a0:c9:f6:77:37       no                 4.78
>   1     00:c0:9f:ab:e6:92       no                76.87
>   1     00:c0:9f:d4:0e:8a       no                14.18
>   1     00:e0:81:20:b7:ec       no                 0.03
>   1     00:ff:7f:b2:80:34       no                 2.99
>   2     00:ff:d1:9f:78:48       yes                0.00
> 
> wtc-vpn:/etc/openvpn# cat server.conf
> 
> local [public IP]
> port 1194
> proto udp
> dev tap0
> 
> ca /etc/openvpn/keys/ca.crt
> cert /etc/openvpn/keys/server.crt
> key /etc/openvpn/keys/server.key
> dh /etc/openvpn/keys/dh1024.pem
> 
> management 127.0.0.1 905
> mode server
> tls-server
> 
> push "route [public IP] 255.255.255.255 net_gateway"
> push "route-gateway [LAN gateway]"
> push "route [subnet 1] 255.255.255.0"
> push "route [subnet 2] 255.255.255.0"
> push "route [subnet 3] 255.255.255.0"
> push "route [subnet 4] 255.255.255.0"
> push "route [subnet 5] 255.255.255.0"
> push "route [subnet 6] 255.240.0.0"
> push "route [subnet 7] 255.255.255.192"
> push "dhcp-option DNS [LAN DNS 1]"
> push "dhcp-option DNS [LAN DNS 2]"
> push "dhcp-option DNS [LAN DNS 3]"
> 
> script-security 2 system
> client-connect /etc/openvpn/ccs.sh
> client-disconnect /etc/openvpn/ccd.sh
> client-config-dir client-configs
> ccd-exclusive
> username-as-common-name
> keepalive 2 10
> reneg-sec 0
> tls-auth /etc/openvpn/keys/ta.key 0
> plugin /usr/lib/openvpn/openvpn-auth-pam.so login
> cipher AES-256-CBC
> comp-lzo
> max-clients 13
> 
> user ovpn-user
> group ovpn-user
> 
> persist-key
> persist-tun
> 
> status openvpn-status.log
> log-append      /var/log/openvpn.log
> verb 6
> mute 5
> mute-replay-warnings
Reply to:
Follow-Ups:
- Re: Linux ARP bridging issues
  - From: Keith Edmunds <kae@midnighthax.com>
Next by Date: Re: Linux ARP bridging issues
Next by thread: Re: Linux ARP bridging issues
Index(es):
- Date
- Thread