At 11:52 AM 7/12/2004 -0700, Ryan Rich wrote:
Ok,
First I want to thanks everyone for their responses so far! I will stop being ambigious, since it seems to make things more complicated and I think where i work probably has the whole 138.23.0.0/16 block anyways so that secret is already out... My address are on the 138.23.75.0 and 138.23.76.0 subnets.
You are correct in all of these guesses (According to the ARIN database). This suggests a different approach to solving your problem: talk to the sysadmin in charge of whatever system is the gateway for these two networks. Ask him or her to set its routing table to make (for example) 138.23.75.254 (the external address of the LEAF router) its default route to 138.23.76.0/24. This might not work ... after all, someone was silly enough to select a set of address ranges that do not combine to a /23 ... but it might be a solution to your problem.
I have been trying to narrow down the problem with the machine that was unreachable in the dmz, so I removed the multiple addresses from the eth0 interface on the leaf box and currently only have 1 machine in the dmz. Currently for testing I am using the following setup...
LEAF eth0=138.23.75.52 mask 255.255.255.0 LEAF eth1=192.168.1.1 Machine in dmz=138.23.75.60 mask 255.255.255.0
Just to emphasize what you've done: this test setup eliminates all use of the 138.23.76.0/24 network. So *complicated* proxy-arp issues are now out the door.
The leaf box is able to ping the machine in the dmz and the machine in the dmz can ping the leaf box. So everything between these two machines seems great. Route shows up for 138.23.75.60 via eth1.
Please report this exactly, not via a paraphrase. (That is, quote the complete output of "ip route show" or "netstat -nr".)
However, when I try to ping the machine in the dmz from another machine, there is no luck (shorewall has been set to allow pings and there is nothing in the log). Also the machine in the dmz can ping nothing outside of the leaf box.
Please describe the failure mode exactly, not with vague phrases like "no luck".
I am bit confused about you use of the term "DMZ" here. Usually, it refers to a subset of hosts on a separate *physical* network, for example here on an eth2 interface. But you say your route to it is on eth1, which is usually the internal interface ... the one that handles NAT'ing of a private-address-range LAN and that you say is assigned 192.168.1.1, an address consistent with that custoary use.
So, two things come to mind.
1. Does the "DMZ" host (which you say is "138.23.75.60 mask 255.255.255.0") have a proper routing table? Specifically, does it know that its route to the Internet is 192.168.1.1? Since this eth1 interface does not have a 138.23.75.0/24 address, it cannot proxy-arp the LEAF router's default gateway (which I assume is some 138.23.75.d address ... but maybe next time you better fill in this blank too).
2. Do you have proxy arp enabled properly on the LEAF router? You check this by checking the values of
/proc/sys/net/ipv4/conf/eth0/proxy_arp
/proc/sys/net/ipv4/conf/eth1/proxy_arp
/proc/sys/net/ipv4/conf/all/proxy_arp
/proc/sys/net/ipv4/conf/default/proxy_arp(your system may not have the last one) to make sure suitable ones contain "1" values. (I believe a 1 for all or default overrides a 0 for eth0 or eth1.)
Another way to test directly for whether proxy arp is working isto use a host on the LEAF router's external network. (If you have access to the gateway host, that would be a good choice.) Run these two commands:
ping 138.23.75.52
ping 138.23.75.60No matter how the pings themselves turn out, now check the arp table on the host you've ping'ed from. How you do this is OS specific; in Linux. you'd "cat /proc/net/arp". If both Ip addresses are present and show the same associated MAC address, then proxy arp is working as it should.
Now, if I give the same machine in the dmz the address I used for the machine that did work before (138.23.76.112 mask 255.255.255.0) everything works beautifully! The 138.23.76.112 address in the dmz works if the LEAF eth0 interface is assigned an address in the 138.23.75 or the 138.23.76 subnet too, so I guess that is not an issue after all.
Just to be clear ... do you mean that in this case, an off-LAN host can ping the on-LAN 138.23.76.112 host and get a response? Are you sure the response is coming from that host (does it come via the LEAF router's MAC address?)?
I also can't tell what actual tests your last sentence refers to ... surely you didn't try all possible combinations of addresses.
So right now I am baffled. If I plug the machine in the dmz directly into the network with the 138.23.75.60 address it works fine. Am I going mad, or is there something that would cause this behavior?
Well, obviously "something" is causing it. Charles gave you a good rundown of some diagnostics you could provide (for the LEAF router) that might let one of us help you fint the something. I hope my comments above take you a bit further along.
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
