Ok, I really appreciate the help here, I've tried to modify the setup for
now by taking shorewall out of the mix by doing a "shorewall stop;
shorewall clear" and then have everything setup manually. I think I have
followed your instructions correctly except for the addresses for the eth1
interface as I noted below with my responses...
> I can't tell you exactly what given the nearly complete lack of
> diagnostic information, but I'll try to get you headed in the right
> direction. First, let's get some details out of the way:
>
> - It sounds like you only have an upstream (eth0) and dmz (eth1)
> interface on your Bering box...is that correct?
Correct.
> - You have two subnets connected to the upstream interface of your
> firewall: 138.23.75.0/24 and 138.23.76.0/24, correct?
Correct.
> - You want to put externally visible IP's from both subnet ranges on a
> proxy-arp DMZ connected to eth1 of your firewall, correct?
Correct.
> OK, assuming all of the above is accurate, you need to setup the
> following:
>
> - eth0 should be configured with:
> * An IP address on both subnets
> * A local route to each subnet
> * A default route to your upstream gateway
> * Proxy-arp enabled
>
> - eth1 should be configured with:
> * An IP address on both subnets (different IP's than used for eth0)
> * A host route for each public IP to make visible upstream
> * Proxy-arp enabled
I was under the impression that the IP address(es) assigned to the
interface connected to the dmz network were irrelevant when using proxy
arp after reading the shorewall docs... Please correct me if I am
wrong... It will take me a little while to scrape together a couple of
extra available IPs from both nets if I really do need them... For now I
have just assigned eth1 on the leaf box 192.168.1.1 with a mask of
255.255.255.255 and broadcast of 0.0.0.0.
>
> You can verify this setup (and report diagnostics to the list) with the
> following commands:
>
> ip addr list
> ip route list
> for i in /proc/sys/net/ipv4/conf/*/proxy_arp ; do
> echo $i: ; cat $i ; done
(started with a shorewall stop ; shorewall clear)
<<begin diagnostics>>
firewall# ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:10:4b:9e:82:d6 brd ff:ff:ff:ff:ff:ff
inet 138.23.75.52/24 brd 138.23.75.255 scope global eth0
inet 138.23.76.127/24 brd 138.23.76.255 scope global eth0:0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:10:4b:6a:83:ee brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/32 scope global eth1
firewall# ip route list
138.23.76.112 dev eth1 scope link
138.23.75.60 dev eth1 scope link
138.23.75.0/24 dev eth0 proto kernel scope link src 138.23.75.52
138.23.76.0/24 dev eth0 proto kernel scope link src 138.23.76.127
default via 138.23.75.1 dev eth0
firewall# for i in /proc/sys/net/ipv4/conf/*/proxy_arp ; do
> echo $i: ; cat $i ; done
/proc/sys/net/ipv4/conf/all/proxy_arp:
0
/proc/sys/net/ipv4/conf/default/proxy_arp:
0
/proc/sys/net/ipv4/conf/eth0/proxy_arp:
1
/proc/sys/net/ipv4/conf/eth1/proxy_arp:
1
/proc/sys/net/ipv4/conf/lo/proxy_arp:
0
<<end diagnostics>>
Everything seems to work the same as it did when I set this up through
shorewall. All traffic to and from 138.23.76.112 works fine, but
138.23.75.60 is unaccessable except via the leaf box or the 138.23.76.112
machine in the dmz. Also the 138.23.75.60 machine is able to ping both
external interfaces on the leaf box, but nothing beyond that.
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
