[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strange problem with IP aliasing on cable modem - solution



Dear reader,

maybe the provided information is useful for someone.

- first problem was that another cable modem has also the .128 IP set. (Fault of the ISP.)

- second problem seems to be that OpenBSD doesn't send ARP requests via an aliased interface. (Well, I'm not sure about this.)

How did we solve it? - A static route to our second IP has been configured in our next hop router. Sure, this has some disadvantages but it works.

Best regards,
Dietmar

---------- Forwarded message ----------
Date: Sat, 13 Oct 2001 11:42:06 +0200 (CEST)
From: Dietmar Schinnerl <schinnerl_(_at_)_webdynamite_(_dot_)_com>
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Strange problem with IP aliasing on cable modem

Dear reader,

I try to build an OpenBSD firewall and IPsec gateway where one network
interface (let's name it E for external) has two addresses (x.y.z.75 and
.128) bound and is connected to a cable modem. The second network
interface (I for internal) connects to the internal LAN.

It's no problem to set up an IP alias on I. However if I try to setup an
IP alias on the other network interface (E) I can not ping that new IP
from the outside -- from the inside it works of course.

I even can not perform a "ping -I x.y.z.128 x.y.z.1".(*) What really
distracts me is that I can see the echo request (x.y.z.128 -> x.y.z.1)
and echo reply (x.y.z.1 -> x.y.z.128) via tcpdump. I did also a
traceroute from the outside which get's to x.y.z.1 but doesn't "find"
x.y.z.128. (Of course "ping -I x.y.z.75 x.y.z.1" works, and all other
things work too -- NAT, firewall etc.)

(*) This should do as the mysterious initial arp request.

tcpdump snippet:

[...]
09:45:30.486191 m1.domain.my > m128.domain.my: icmp: echo reply
09:45:31.463199 m128.domain.my > m1.domain.my: icmp: echo request (DF)
09:45:31.488123 m1.domain.my > m128.domain.my: icmp: echo reply
09:45:32.463210 m128.domain.my > m1.domain.my: icmp: echo request (DF)
09:45:32.490302 m1.domain.my > m128.domain.my: icmp: echo reply
[...]

I flushed all ip filter rules, I even dropped the "map ..." from
ipnat.rules. I tried to bind only the .128 address to E, didn't work
either. (It even doesn't work under Windows NT 4.0.)

_But_ the really strange thing is that it works under Linux. (I don't
want to offend here anyone. And before you ask why I change a working
configuration. We need an IPsec connection to a commercial IPsec product
and this one doesn't work with FreeS/WAN. So we switched to OpenBSD
where it works without problems.)

I would be very grateful for any help or a pointer in the right
direction.

Thank you for reading,
Dietmar