Re: Layer 3 (IP) based switching for Linux? (Proxy-ARP??)

[Ben Greear <greearb@xxxxxxxx>]

Prairie Flower wrote:

> On Tue, 28 Dec 1999 08:21:23 -0700, Ben Greear wrote:
>
> [snip]
>
> >PC1 -------\
> >5.5.1.2/24  \__ eth0 |-------|
> >                     |       |             5.5.1.254/24
> >                ...  | Linux | eth2 ------ [ gateway ] ---- { internet }
> >                     |       |
> >PC2 ----------- eth1 |_______|
> >5.5.1.3/24
>
> Are you sure you don't mean 10.5.1.0/24?
>
> wildrose@xxxxxxxx

Which interface are you talking about?  I think it is how I want it, but let me
explain my true goals.

I want to firewall based on VLANs.  (I plan on using my vlan code for that, to 
make
  each vlan look like a seperate interface.)

I want PCs to look like they are on a normal subnet.  In other words, these
are customer machines, and the customers are mostly likely clueless (this is
a DSL type offering.)  This means no host routes, and no linux-only tweaks.

I want to conserve IP addresses, so no subnet-per-interface (that would take at 
least
4 IPs per customer, as well as being a possible headache for whatever admin had
to support the ISP's network.)

The magic box (labeled linux in my picture) can have any amount of ugly stuff
(ie arp proxy, host routes, etc), just so long as it works!!

Currently in the lab, I have this:

On Linux:  this setup has been run to create the vlan interfaces and give them 
IP
addresses:
        vconfig add eth1 20
        vconfig add eth1 21
        ifconfig -i vlan0000 10.1.1.20  # vlan 20
        ifconfig -i vlan0001 10.1.1.21  # vlan 21
        ifconfig -i vlan0000 up
        ifconfig -i vlan0001 up

        route add -host 130.131.190.211 vlan0000
        route add -host 130.131.190.212 vlan0001

        # Do proxy-arp stuff
        # Note that all vlan devices on the same NIC (eth1 in this case) have 
the same MAC.
        arp -i vlan0001 -Ds 130.131.190.211 vlan0000 pub
        arp -i vlan0000 -Ds 130.131.190.212 vlan0000 pub


PC1 --------vlan1-\
130.131.190.212/24 |     |-------|
                   |     |       |             130.131.190.3
                   -eth1-| Linux | eth0 ------ [ gateway ] ---- { internet }
                   |     |       |
PC2 --------vlan0-/      |_______|
130.131.190.211/24


Things are almost working:

When I try to ping from .212 to .211, the linux box ARP proxies and
.212 starts sending icmp requests to 10.1.1.21

On the vlan0 interface, I see this:
[root@linserv /root]# tcpdump -n -i vlan0000
User level filter, protocol ALL, datagram packet socket
tcpdump: listening on vlan0000
12:36:48.898119 > arp who-has 130.131.190.211 tell 10.1.1.20 (0:60:97:3c:e6:9)
12:36:50.896697 > arp who-has 130.131.190.211 tell 10.1.1.20 (0:60:97:3c:e6:9)


On the vlan0001 interface, I see this:
[root@linserv /root]# tcpdump -n -i vlan0001
User level filter, protocol ALL, datagram packet socket
tcpdump: listening on vlan0001
12:37:12.891220 < 130.131.190.212 > 130.131.190.211: icmp: echo request
12:37:12.898150 > 10.1.1.21 > 130.131.190.212: icmp: host 130.131.190.211 
unreachable [tos 0xc0]
12:37:12.898215 > 10.1.1.21 > 130.131.190.212: icmp: host 130.131.190.211 
unreachable [tos 0xc0]
12:37:12.898269 > 10.1.1.21 > 130.131.190.212: icmp: host 130.131.190.211 
unreachable [tos 0xc0]
12:37:13.891667 < 130.131.190.212 > 130.131.190.211: icmp: echo request
12:37:14.892025 < 130.131.190.212 > 130.131.190.211: icmp: echo request
12:37:15.890706 < 130.131.190.212 > 130.131.190.211: icmp: echo request
12:37:16.888114 > 10.1.1.21 > 130.131.190.212: icmp: host 130.131.190.211 
unreachable [tos 0xc0]
12:37:16.888172 > 10.1.1.21 > 130.131.190.212: icmp: host 130.131.190.211 
unreachable [tos 0xc0]


The problem is that .211 does not have a host route to tell it how to get a pkt
to 10.1.1.20.  (It may have other problems...should it try to send it to the 
dflt gateway?)


So, what if I could set one of the interfaces on Linux to be, say: 
130.131.190.200.
If I could get the arp to say "tell 130.131.190.200", instead of 10.1.1.20,
then the .211 PC could know how to get the response back?


All ideas will be appreciated!! :)

Here's some more info that might prove useful:

[root@linserv /root]# ifconfig -a
dummy     Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

eth0      Link encap:Ethernet  HWaddr 00:60:97:29:6F:B2
          inet addr:130.131.190.238  Bcast:130.131.190.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:479615 errors:0 dropped:0 overruns:0 frame:0
          TX packets:152213 errors:0 dropped:0 overruns:0 carrier:602
          collisions:22 txqueuelen:100
          Interrupt:9 Base address:0xff80

eth1      Link encap:Ethernet  HWaddr 00:60:97:3C:E6:09
          inet addr:192.168.101.1  Bcast:192.168.101.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10716 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14693 errors:0 dropped:0 overruns:0 carrier:0
          collisions:38 txqueuelen:100
          Interrupt:5 Base address:0xff40

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:1859 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1859 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

vlan0000  Link encap:Ethernet  HWaddr 00:60:97:3C:E6:09
          inet addr:10.1.1.20  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5862 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

vlan0001  Link encap:Ethernet  HWaddr 00:60:97:3C:E6:09
          inet addr:10.1.1.21  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6619 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6155 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0


[root@linserv /root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
130.131.190.212 0.0.0.0         255.255.255.255 UH    0      0        0 vlan0001
130.131.190.211 0.0.0.0         255.255.255.255 UH    0      0        0 vlan0000
192.168.101.1   0.0.0.0         255.255.255.255 UH    0      0        0 eth1
130.131.190.238 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.101.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
130.131.190.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.0.0.0       130.131.190.229 255.0.0.0       UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 vlan0000
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 vlan0001
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         130.131.190.211 0.0.0.0         UG    0      0        0 eth0

[root@linserv /root]# arp -an
? (130.131.190.211) at 00:10:7B:3B:55:01 [ether] on eth0
? (130.131.190.254) at 00:10:4B:7A:A6:D4 [ether] on eth0
? (130.131.190.211) at <incomplete> on vlan0000
? (130.131.190.212) at 00:00:E8:34:22:33 [ether] on vlan0001
? (130.131.190.211) at * PERM PUP on vlan0001
? (130.131.190.212) at * PERM PUP on vlan0000


Thanks,
Ben

--
Ben Greear        greearb@xxxxxxxx   Pager: 202-2717
(623) 581 4980    "More weight!" -- _The Crucible._
http://hydrogen:8080/home/greearb/public_html/index.html