On 11/6/2010 9:02 PM, Tom Eastep wrote: > > VLANs are are virtual ethernet LANs -- the destination of every packet > send to the VLAN must be specified by a unique layer 2 (MAC) address > (exceptions are broadcast and multicast). > I'm having an issue with pptpd (Poptop) server on the firewall/router. It is not responding to arp requests for the ppp0 connection.
interfaces net eth0 detect tcpflags,nosmurfs corp eth1.2 detect dhcp,tcpflags,logmartians corp eth1.3 detect dhcp,tcpflags,logmartians proc eth1.4 detect tcpflags,logmartians proc eth1.5 detect tcpflags,logmartians vpn ppp+ rules (didn't use tunnels) $PPTPIP is a list of clients defined in params # Replaces entry in tunnels with ACL ACCEPT net:$PPTPIP $FW tcp 1723 ACCEPT $FW net 47 ACCEPT net:$PPTPIP $FW 47 pptpd.conf localip 10.1.19.1 remoteip 10.1.19.248-253 options.pptpd proxyarp Client can connect, can ping router ip, can ping ppp0 address, tcpdump shows pings leaving the interface but all we see are arp requests from the target asking for the mac. ping from remote system (vpn client) to host on vlan 4 (ppp0 - 10.1.19.248, eth1.4 - 10.1.19.1) # tcpdump -ni eth1.4 host 10.1.19.248 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1.4, link-type EN10MB (Ethernet), capture size 96 bytes 16:51:05.602191 IP 10.1.19.248 > 10.1.19.4: ICMP echo request, id 1280, seq 256, length 40 16:51:05.602337 arp who-has 10.1.19.248 tell 10.1.19.4 16:51:10.895146 IP 10.1.19.248 > 10.1.19.4: ICMP echo request, id 1280, seq 512, length 40 16:51:10.895327 arp who-has 10.1.19.248 tell 10.1.19.4 The echo request is leaving the interface but the router is making no attempt to reply to the who-has requests. tcpdump of the arp traffic during ping from remote client. # tcpdump -ni eth1.4 arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1.4, link-type EN10MB (Ethernet), capture size 96 bytes 17:02:48.622219 arp who-has 10.1.19.4 tell 10.1.19.1 17:02:48.622367 arp reply 10.1.19.4 is-at 00:0e:0c:af:86:3b 17:02:48.622536 arp who-has 10.1.19.248 tell 10.1.19.4 17:02:53.871295 arp who-has 10.1.19.248 tell 10.1.19.4 .... arping from another host on the same subnet # arping -I eth0.4 10.1.19.248 ARPING 10.1.19.248 from 10.1.19.254 eth0.4 Sent 7 probes (7 broadcast(s)) Received 0 response(s) tcpdump while the arping was happening [r...@platlnxrtr2 shorewall]# tcpdump -ni eth1.4 host 10.1.19.248 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1.4, link-type EN10MB (Ethernet), capture size 96 bytes 16:53:57.843136 arp who-has 10.1.19.248 (Broadcast) tell 10.1.19.254 16:53:58.844487 arp who-has 10.1.19.248 (Broadcast) tell 10.1.19.254 16:53:59.846334 arp who-has 10.1.19.248 (Broadcast) tell 10.1.19.254 16:54:00.848172 arp who-has 10.1.19.248 (Broadcast) tell 10.1.19.254 arp table on router # arp -an ? (xxx.xxx.xxx.xxx) at 00:10:18:90:20:DB [ether] on eth0 ? (10.1.19.254) at 00:13:46:61:B9:4B [ether] on eth1.4 ? (10.1.16.2) at 00:26:B9:8D:8A:F1 [ether] on eth1.2 ? (10.1.16.19) at 00:17:31:88:3D:22 [ether] on eth1.2 ? (10.1.19.248) at * PERM PUP on eth1.4 from /var/log/messages pppd[13753]: MPPE 128-bit stateless compression enabled pppd[13753]: found interface eth1.4 for proxy arp pppd[13753]: local IP address 10.1.19.1 pppd[13753]: remote IP address 10.1.19.248 It works just fine with this basic config. # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination PPP-INPUT all -- anywhere anywhere RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination PPP-INPUT all -- anywhere anywhere RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain PPP-INPUT (2 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:pptp ACCEPT gre -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited I know - ACCEPT all -- anywhere anywhere - is bad. # tcpdump -ni eth1.4 arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1.4, link-type EN10MB (Ethernet), capture size 96 bytes 17:10:22.656250 arp who-has 10.1.19.4 tell 10.1.19.1 17:10:22.656390 arp reply 10.1.19.4 is-at 00:0e:0c:af:86:3b 17:10:22.656557 arp who-has 10.1.19.248 tell 10.1.19.4 17:10:23.295331 arp reply 10.1.19.248 is-at 00:19:b9:33:2f:18 So it has something to do with the shorewall config ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
