Date: Mon, 1 Nov 1999 11:39:26 +0200 From: Rick Afonso <rick.afonso@usko.com> To: "'freebsd-questions@FreeBSD.ORG.'" <freebsd-questions@FreeBSD.ORG> Subject: Squid Proxy & Natd Arp problem Message-ID: <91FBD7B8C861D2119C3100805FA72FE1199ECE@CPTCOMXCH>
next in thread | raw e-mail | index | archive | help
Hi Everyone
I have a client who is experiencing a strange problem which appears to be
ARP related.
ISP1 ISP2
| |
router router
| ip1 |ip2
|------------------------------------------------------------|Ethernet
| | |ip1.1 |ip2.1
| | | |
DNS DNS Proxy1 Proxy2
| |
10.0.0.0/16|----------------------------------| Ethernet
| |
WWW W/stations
Server
The client has two incoming leased line circuits from two different ISP's,
each circuit has a registered IP address range being routed through it. The
client has two BSD boxes setup as Proxy (Squid) servers also running NATD.
The clients internal network sits on the 10.0.0.0 / 16 range behind these
two proxy servers.
The client's two DNS servers are on the registered IP side of the Proxy
servers, while his web server (hosting multiple sites) is behind the proxy
servers. The two proxy servers have NATd alias tables mapping the relevant
registered IP address to the private internal address. Each server is
dedicated to one of the registered IP ranges.
ie: an http request will be resolved to a registered IP address which when
the client browser connects to, will be redirected to the private address,
which it corresponds to in the NATd tables, by the proxy server which
services the particular external IP range( indicated by numbering above)
From the outside world this works fine. Attempting to connect to one of the
hosted web sites, the traffic hits the relevant proxy server which then
translates it and passes it to the web server on the relevant internal
address.
If an internal user tries to connect to a web site (using one of the proxy
servers as his browser proxy) the results vary. If the site he attempts to
connect to is natted via the proxy box (being used as his web proxy) he
cannot connect.. Looking at the ARP table on that proxy server it indicates
" incomplete " for the relevant external IP address arp resolution.
If the web site is natted via the other proxy server it works fine
ie: if the IP address resolved for a web site is an address which is being
natted by the same proxy server (which is used as a proxy ) by the client
workstation, the proxy server is not immediately replacing the external
address with the internal NATTED address and passing the traffic back to the
internal server. It appears to try an ARP request which never gets answered.
Does anyone have any ideas what could cause this? And an idea on how to
resolve it.
Thanks
Rick
Rick Afonso
Senior Network Engineer
USKO Communications
Cape Town
South Africa
Mobile: +27 83 6014010
Phone: +27 21 4185354
Fax: +27 21 4185478
This message may contain information which is confidential and subject to
legal privilege. If you are not the intended recipient, you may not peruse,
use, disseminate, distribute or copy this message. If you have received
this message in error, please notify the sender immediately by email,
facsimile or telephone and return and/or destroy the original message.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?91FBD7B8C861D2119C3100805FA72FE1199ECE>