Hello,
I have a question regarding the setup of proxy arp... I think my situation is a little strange so let me explain, I do not consider myself a network expert so fogive me if I am a little off with my terminology... We have a physical network that contains 2 logical subnets, 138.23.aa/24 and 138.23.bb/24 (i.e. I can assign a machine address 138.23.aa.xx (mask 255.255.255.0) or 138.23.bb.xx (mask 255.255.255.0) and plug them into the same jack and they will both work). I have a few servers I would like to firewall using proxy arp.
Some of the machines have an address on the 138.23.aa network and some on the 138.23.bb.
Now this works fine if I assign the LEAF machine an IP address in the 138.23.aa network (eth0) and the server's address in my dmz (eth1) is also in the same subnet (138.23.aa)... but when I try to add a server with an address from the 138.23.bb network to my dmz, it is unreachable (even though if I were to plug this machine into the very same physical connection with that address it would work). Now after doing a little reading about proxy arp it looks like this would be normal behavior...
So I do have an extra address in the 138.23.bb network so I tried adding it as an alias to the eth0 interface (eth0:0) in hopes that I would then be able to proxy arp to my servers with both the 138.23.aa and 138.23.bb addresses. I have had no luck as of yet though, the aliased address on the leaf box interface is pingable and reachable, but it still won't proxy arp to the machine in the dmz with the 138.23.bb address. I have tried changing the broadcast in the shorewall config from detect to 138.23.aa.255,138.23.bb.255 but no dice.
I have gone through the shorewall documentation and read about aliasing, but I don't see anything that is similiar to my situation.
Does anyone have any suggestions on how to go about making this work or is it just too wierd to have a network like this?
First, a "blue sky" thought here. I mention it only because you emphasized that you are not a networking expert. (Also, your "i.e." is ambiguous in a way that is exactly relevant to this possibility, and your comment about changing the broadcast address also suggests it.)
Is it possible that aa and bb are sequential values (for example, 20 and 21) of a sort (even-odd, not odd-even) that would let you use the representation 138.23.aa.0/23 for the network? If so, you can probably modify the LEAF router's settings to treat everything as a single network. And then 138.23.bb.255 is the correct broadcast address.
If that approach can't be used ... Tom already answered about the 1-external address situation. But it remains unclear why you can't proxy arp if both networks appear on the external interface. Did you verify that you set this part up correctly ... for example, does the LEAF router's routing table have entries for both 138.23.aa.0/24 and 138.23.bb.0/24? Do the DMZ hosts on 138.23.bb.0/24 and the LEAF router themselves communicate properly?
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
