> However it is surprising that the router answers ARP requests for
> addresses that are on the same side. This would not break only DHCP but
> all ARP operation on the subnet.
>
> > What would you advice to get rid of this sittuation ?
> > I suppose that turning arp_proxy only on eth0 should work
>
> I cannot give any advice without knowledge about your network layout, IP
> subnets, routing tables, and what you need proxy ARP for.
It's simple . I've got 2 routers.
One that is a BGP peer with worldwide routing table that holds a C IP
class and has IP x.x.x.1
My router/firewall/TC machine is connected directly to the router with
x.x.x.2 IP .
It has 3 interfaces :
-eth0 for internet default via x.x.x.1
-eth1 for 10.0.x.x clients (DHCP assigned )
-eth2 for 10.0.x.x clients (pppoe-server assigned)
Actually 80% of the clients are masquaraded on x.x.x.2 but those who
have public IP addr are masqueraded also (DNAT/SNAT) so things like
active ftp don't work well .
I want to assign IP adressess directly to the interface of my clients
- i've been testing it for a while and it works - except for one
thing. After about 10 (?maybe less, maybe more?) minutes of
inactivity - there's no way to ping or connect to an IP addr from the
internet.
I think it has something to do with the way I assign IP adresses
statically through DHCP - my iptables and arp table are denying
customers to connect with another mac address .
So when I enable arp proxy on eth0 - there's everything OK - but AFAIK
i have to enable it on eth2 and eth1 and then clients get the
"DHCPDECLINE" message.
I can provide as much info as You want (and I'm able to ;) )
Regards.
Wojtek
--
Wojciech Ziniewicz
Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;fl
ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exit:xargs!!;)}
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment