jdike at karaya.com
Fri Nov 2 19:59:21 EST 2001
raven at oneeyedcrow.net said:
> Since proxy-arp is on for eth0, which is connected to Subnet 0, this
> means that if a machine on Subnet 0 does an ARP request for a machine
> on Subnet 1, the firewall will respond to the ARP request with its own
> hardware address mapping to the IP on subnet 1. So as far as the
> devices on Subnet 0 are concerned, they are on the same layer-2
> network as devices on Subnet 1 -- it's transparant to them.
> If a machine on Subnet 1 makes an arp request for a machine on Subnet
> 0, it will get no response. The machine on Subnet 0 doesn't recieve
> the request since it's on a different network, and the firewall won't
> answer on behalf of the machine on Subnet 0 because proxy-arp is
> turned on. So machines on Subnet 1 don't appear to be on the same
> layer-2 network as machines on Subnet 0.
OK, so if an arp request comes in on an interface with proxy_arp on, and
there's an arp entry in the routers cache for it, and the target machine
doesn't live on the same ethernet strand, then it will reply with its own
ethernet address. That explains things.
With UML, I set proxy_arp on the tap interface that the virtual machine is
using, which ensures that it can make arp requests and the host will answer
with any addresses in its arp cache. I also put a proxy entry for the virtual
machine's IP address on eth0 (which is somewhat bogus because eth0 could be
the connection to the outside world, and eth1 could be the local net, but
I haven't had anyone complain), which ensures that the rest of the local net
will see the UML.
One question, though. If a machine on one side of the router arps for a
machine on the other side, and the router hasn't heard from that machine, the
arp will fail, right? Are machines supposed to arp their own addresses
occasionally, so this would be a temporary problem, when the other machine
has just booted?
More information about the Techtalk