Ok, First I want to thanks everyone for their responses so far! I will stop being ambigious, since it seems to make things more complicated and I think where i work probably has the whole 138.23.0.0/16 block anyways so that secret is already out... My address are on the 138.23.75.0 and 138.23.76.0 subnets.
I have been trying to narrow down the problem with the machine that was unreachable in the dmz, so I removed the multiple addresses from the eth0 interface on the leaf box and currently only have 1 machine in the dmz. Currently for testing I am using the following setup... LEAF eth0=138.23.75.52 mask 255.255.255.0 LEAF eth1=192.168.1.1 Machine in dmz=138.23.75.60 mask 255.255.255.0 The leaf box is able to ping the machine in the dmz and the machine in the dmz can ping the leaf box. So everything between these two machines seems great. Route shows up for 138.23.75.60 via eth1. However, when I try to ping the machine in the dmz from another machine, there is no luck (shorewall has been set to allow pings and there is nothing in the log). Also the machine in the dmz can ping nothing outside of the leaf box. Now, if I give the same machine in the dmz the address I used for the machine that did work before (138.23.76.112 mask 255.255.255.0) everything works beautifully! The 138.23.76.112 address in the dmz works if the LEAF eth0 interface is assigned an address in the 138.23.75 or the 138.23.76 subnet too, so I guess that is not an issue after all. So right now I am baffled. If I plug the machine in the dmz directly into the network with the 138.23.75.60 address it works fine. Am I going mad, or is there something that would cause this behavior? Many Thanks, Ryan > At 04:52 PM 7/10/2004 -0700, Ryan Rich wrote: >>Hello, >> >>I have a question regarding the setup of proxy arp... I think my >>situation is a little strange so let me explain, I do not consider myself >>a network expert so fogive me if I am a little off with my >>terminology... We have a physical network that contains 2 logical >>subnets, 138.23.aa/24 and 138.23.bb/24 (i.e. I can assign a machine >>address 138.23.aa.xx (mask 255.255.255.0) or 138.23.bb.xx (mask >>255.255.255.0) and plug them into the same jack and they will both >>work). I have a few servers I would like to firewall using proxy arp. >>Some of the machines have an address on the 138.23.aa network and some on >>the 138.23.bb. >> >>Now this works fine if I assign the LEAF machine an IP address in the >>138.23.aa network (eth0) and the server's address in my dmz (eth1) is >> also >>in the same subnet (138.23.aa)... but when I try to add a server with an >>address from the 138.23.bb network to my dmz, it is unreachable (even >>though if I were to plug this machine into the very same physical >>connection with that address it would work). Now after doing a little >>reading about proxy arp it looks like this would be normal behavior... >>So I do have an extra address in the 138.23.bb network so I tried adding >>it as an alias to the eth0 interface (eth0:0) in hopes that I would then >>be able to proxy arp to my servers with both the 138.23.aa and 138.23.bb >>addresses. I have had no luck as of yet though, the aliased address on >>the leaf box interface is pingable and reachable, but it still won't >> proxy >>arp to the machine in the dmz with the 138.23.bb address. I have tried >>changing the broadcast in the shorewall config from detect to >>138.23.aa.255,138.23.bb.255 but no dice. >> >>I have gone through the shorewall documentation and read about aliasing, >>but I don't see anything that is similiar to my situation. >>Does anyone have any suggestions on how to go about making this work or >> is >>it just too wierd to have a network like this? > > First, a "blue sky" thought here. I mention it only because you emphasized > that you are not a networking expert. (Also, your "i.e." is ambiguous in a > way that is exactly relevant to this possibility, and your comment about > changing the broadcast address also suggests it.) > > Is it possible that aa and bb are sequential values (for example, 20 and > 21) of a sort (even-odd, not odd-even) that would let you use the > representation 138.23.aa.0/23 for the network? If so, you can probably > modify the LEAF router's settings to treat everything as a single network. > And then 138.23.bb.255 is the correct broadcast address. > > If that approach can't be used ... Tom already answered about the > 1-external address situation. But it remains unclear why you can't proxy > arp if both networks appear on the external interface. Did you verify that > you set this part up correctly ... for example, does the LEAF router's > routing table have entries for both 138.23.aa.0/24 and 138.23.bb.0/24? Do > the DMZ hosts on 138.23.bb.0/24 and the LEAF router themselves communicate > properly? > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > -- Ryan Rich Sun Certified Programmer for Java 2 Platform Oracle Developer http://www.richservices.com/ ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
