Date: 31 Jul 2003 20:27:29 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com> To: "Company 2210" <company2210@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: ARP Problem - Please Help Message-ID: <44zniu1atq.fsf@be-well.ilk.org> In-Reply-To: <Law12-OE51A9KxLt3zP000066af@hotmail.com> References: <Law12-OE51A9KxLt3zP000066af@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Company 2210" <company2210@hotmail.com> writes: > My problem is this (and it's driving me nuts as I can't see the > solution). I have two freebsd boxes acting as routers, the layout is like > this: > > > Clients (12.20.78.0/25) <----->(eth0) ROUTER A (eth1)<=======> (eth1) ROUTER > B (eth0) <----> (12.20.65.69) Upstream ISP & Internet > > Router A Configuration: > > eth0: 12.20.78.1 Subnet 255.255.255.128 > eth1: 10.0.0.1 Subnet 255.255.255.0 > > Router B Configuration: > > eth0: 12.20.65.70 Subnet 255.255.255.252 > eth1: 10.0.0.2 Subnet 255.255.255.0 > > > The private IP's denote an IPSEC VPN connection (Wireless) between ROUTER A > & B, all the client PC's are on public IP's. Now, the VPN works perfectly, > encrypting the packets over the wireless link, however ROUTER A's eth0 > interface does not appear in the arp -a lookup: > > ? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 permanent [ethernet] > ? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 [ethernet] > ? (12.20.78.0) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet] > ? (12.20.78.2) at 00:0c:cd:53:d9:f3 on eth0 [ethernet] > ? (12.20.78.42) at 00:9a:17:90:d3:b4 on eth0 [ethernet] > ? (12.20.78.52) at 00:2b:18:2e:22:21 on eth0 [ethernet] > ? (12.20.78.127) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet] Those look like entries for all the local nets... > If I try and force the entry, I receive the following error: > > routera# arp -s 12.20.78.1 00:0c:5d:e6:16:75 > set: can only proxy for 12.20.78.1 Router B shouldn't need that, because it isn't on that link, and Router A shouldn't need it because it *is* 12.20.78.1. What are you trying to do? > The big problem this is causing is that clients cannot ping the gateway, and > it responds to no requests (i.e I can't ssh into it), but it still forwards > packets perfectly. Basically it's like 12.20.78.1 was invisible. The other > strange thing is, that if I ssh into ROUTER B and ping 12.20.78.1 I receive > replies: What host and gateway addresses are you referring to in the first sentence, and why are you surprised by the second? > routerb# ping 12.20.78.1 > PING 12.20.78.1 (12.20.78.1): 56 data bytes > 64 bytes from 12.20.78.1: icmp_seq=0 ttl=64 time=3.577 ms > 64 bytes from 12.20.78.1: icmp_seq=1 ttl=64 time=3.724 ms > 64 bytes from 12.20.78.1: icmp_seq=2 ttl=64 time=3.817 ms > ^C > --- 12.20.78.1 ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 3.577/3.706/3.817/0.099 ms > > > The output of ROUTER B's arp table is displayed below: > > ? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 [ethernet] > ? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 permanent [ethernet] > ? (12.20.65.69) at 00:d0:03:ba:bb:fc on eth0 [ethernet] > > > I am completely at a loss as to how to get around this problem. Any help or > advice would be really great as I've spend the past 3 days, and the floor is > littered with tufts of hair ;) Just incase this is any help, this is the > output from setkey -DP (For encrypting the packets across the 10.0.0.x link) > on each router: > > ROUTER A: > > 0.0.0.0/0[any] 12.20.78.0/25[any] any > in ipsec > esp/tunnel/10.0.0.2-10.0.0.1/require > spid=2 seq=1 pid=778 > refcnt=1 > 12.20.78.0/25[any] 0.0.0.0/0[any] any > out ipsec > esp/tunnel/10.0.0.1-10.0.0.2/require > spid=1 seq=0 pid=778 > refcnt=1 > > ROUTER B: > > 12.20.78.0/25[any] 0.0.0.0/0[any] any > in ipsec > esp/tunnel/10.0.0.1-10.0.0.2/require > spid=8 seq=1 pid=24377 > refcnt=1 > 0.0.0.0/0[any] 12.20.78.0/25[any] any > out ipsec > esp/tunnel/10.0.0.2-10.0.0.1/require > spid=7 seq=0 pid=24377 > refcnt=1 I don't really get the "eth0" nomenclature, anyway; I've seen it on Linux, where the device type is abstracted behind a common name, but I don't know what it means in a FreeBSD setup...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44zniu1atq.fsf>