FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 08-31-2010, 08:31 PM
"Ross Halliday"
 
Default Linux ARP bridging issues

> -----Original Message-----
> From: Ross Halliday
> Sent: Tuesday, August 31, 2010 11:48 AM
> To: 'debian-isp@lists.debian.org'
> Subject: Linux ARP bridging issues
>
> Up until sometime last week this thing ran absolutely fine. Now, all
of
> a sudden, ARP replies are not always being bridged back. I can see all
> the requests flowing out, and I can see the replies coming back into
> br0 but not appearing on tap0. Very rarely I've seen a reply make it
> through, sometimes after 10 seconds of ARP requests, sometimes after
10
> minutes, sometimes not even after half an hour.



After more testing I have determined this is not actually the case - ARP
requests coming in (either destined for the client or coincidentally
from the destination the client is trying to reach) is passing fine. It
does not appear that the bridge is forwarding any ARP replies to tap0 at
all.


Thanks
---
Ross Halliday
Network Operations
WTC Communications

Office: 613-547-6939 x203
Helpdesk: 866-547-6939 option 2
http://www.wtccommunications.ca


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 151BC03492E46E4CB8D479E42CEF78900119DD27@exchange. wtc.local">http://lists.debian.org/151BC03492E46E4CB8D479E42CEF78900119DD27@exchange. wtc.local
 
Old 09-03-2010, 04:14 PM
"Ross Halliday"
 
Default Linux ARP bridging issues

Hmm it seems this never made it to the list

---
Ross Halliday
Network Operations
WTC Communications

Office: 613-547-6939 x203
Helpdesk: 866-547-6939 option 2
http://www.wtccommunications.ca

> -----Original Message-----
> From: Ross Halliday
> Sent: Tuesday, August 31, 2010 11:48 AM
> To: 'debian-isp@lists.debian.org'
> Subject: Linux ARP bridging issues
>
> Hello folks,
>
> I realize this may be somewhat off-topic, but I'm an ISP, I use
Debian,
> and I know there are some very smart people reading this list I am
> hoping someone here will be in a similar situation or be more familiar
> with the involved technologies than I am.
>
> In the past few days I have been doing a lot of searching and head-
> scratching but am unable to really figure this out. I have an OpenVPN
> server set up for use of our network operations team that gives them
> direct access into a LAN. OpenVPN is configured in bridged mode and
> handing out unique IP addresses per user from client configuration
> files. The outward traffic flow looks something like this:
>
> Client TAP interface -> OpenVPN -> server tap0 -> br0 -> vlan9 ->
> physical network
>
> Up until sometime last week this thing ran absolutely fine. Now, all
of
> a sudden, ARP replies are not always being bridged back. I can see all
> the requests flowing out, and I can see the replies coming back into
> br0 but not appearing on tap0. Very rarely I've seen a reply make it
> through, sometimes after 10 seconds of ARP requests, sometimes after
10
> minutes, sometimes not even after half an hour. If I force an ARP
entry
> on the client things work fine.
>
> The server runs OpenVPN 2.1~rc11-1 on Debian Lenny 5.0.5 with stock
> kernel 2.6.26-2-amd64 in VMware 4.1. I have dumped all of my iptables
> rules, arptables and ebtables are clear, all policies set to ACCEPT.
> I've tried enabling kernel options like arp_proxy and ip_forward with
> no luck. The server does not and never has had an IP configured on the
> vlan9, br0, or tap0 interfaces. The VLAN interfaces are plain Ethernet
> interfaces renamed by udev and NOT 802.1q tagged sub-interfaces.
>
> To keep things sort of legible I've put my scrubbed configuration at
> the end of this message. Any assistance or insight would be very much
> appreciated. If anyone can suggest a better venue for this that would
> also be great.
>
> Thanks
> ---
> Ross Halliday
> Network Operations
> WTC Communications
>
> Office: 613-547-6939 x203
> Helpdesk: 866-547-6939 option 2
> http://www.wtccommunications.ca
>
>
>
> wtc-vpn:~# ifconfig
> br0 Link encap:Ethernet HWaddr 00:0c:29:46:f9:50
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:504255 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
>
> RX bytes:32318500 (30.8 MiB) TX bytes:0 (0.0 B)
> tap0 Link encap:Ethernet HWaddr 00:ff:d1:9f:78:48
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:8981 errors:0 dropped:0 overruns:0 frame:0
> TX packets:507870 errors:0 dropped:14 overruns:0 carrier:0
> collisions:0 txqueuelen:100
>
> RX bytes:786383 (767.9 KiB) TX bytes:39449734 (37.6 MiB)
> vlan30 Link encap:Ethernet HWaddr 00:0c:29:46:f9:64
> inet addr:[management IP] Bcast:[management bcast]
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:36656 errors:0 dropped:0 overruns:0 frame:0
> TX packets:23458 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:3488563 (3.3 MiB) TX bytes:17802838 (16.9 MiB)
>
> vlan9 Link encap:Ethernet HWaddr 00:0c:29:46:f9:50
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:9524463 errors:0 dropped:0 overruns:0 frame:0
> TX packets:8665 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:5372033640 (5.0 GiB) TX bytes:766629 (748.6 KiB)
>
> vlan81 Link encap:Ethernet HWaddr 00:0c:29:46:f9:5a
> inet addr:[public IP] Bcast:[public bcast]
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:167968 errors:0 dropped:0 overruns:0 frame:0
> TX packets:126983 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:11357700 (10.8 MiB) TX bytes:22022758 (21.0 MiB)
>
> wtc-vpn:~# brctl show
> bridge name bridge id STP enabled interfaces
> br0 8000.000c2946f950 no tap0
> vlan9
> wtc-vpn:~# brctl showmacs br0
> port no mac addr is local? ageing timer
> 1 00:02:b3:07:85:e0 no 224.01
> 1 00:04:27:0a:72:40 no 24.98
> 1 00:0a:b8:de:33:b2 no 1.92
> 1 00:0c:29:46:f9:50 yes 0.00
> 1 00:0c:29:b6:92:8e no 205.96
> 1 00:0f:1f:5b:51:46 no 1.24
> 1 00:11:11:4b:fc:fe no 137.85
> <snip>
> 1 00:50:56:ba:6a:87 no 32.87
> 1 00:50:56:ba:70:23 no 14.01
> 1 00:50:56:ba:7a:94 no 0.53
> 1 00:a0:c9:f6:77:37 no 4.78
> 1 00:c0:9f:ab:e6:92 no 76.87
> 1 00:c0:9f:d4:0e:8a no 14.18
> 1 00:e0:81:20:b7:ec no 0.03
> 1 00:ff:7f:b2:80:34 no 2.99
> 2 00:ff:d1:9f:78:48 yes 0.00
>
> wtc-vpn:/etc/openvpn# cat server.conf
>
> local [public IP]
> port 1194
> proto udp
> dev tap0
>
> ca /etc/openvpn/keys/ca.crt
> cert /etc/openvpn/keys/server.crt
> key /etc/openvpn/keys/server.key
> dh /etc/openvpn/keys/dh1024.pem
>
> management 127.0.0.1 905
> mode server
> tls-server
>
> push "route [public IP] 255.255.255.255 net_gateway"
> push "route-gateway [LAN gateway]"
> push "route [subnet 1] 255.255.255.0"
> push "route [subnet 2] 255.255.255.0"
> push "route [subnet 3] 255.255.255.0"
> push "route [subnet 4] 255.255.255.0"
> push "route [subnet 5] 255.255.255.0"
> push "route [subnet 6] 255.240.0.0"
> push "route [subnet 7] 255.255.255.192"
> push "dhcp-option DNS [LAN DNS 1]"
> push "dhcp-option DNS [LAN DNS 2]"
> push "dhcp-option DNS [LAN DNS 3]"
>
> script-security 2 system
> client-connect /etc/openvpn/ccs.sh
> client-disconnect /etc/openvpn/ccd.sh
> client-config-dir client-configs
> ccd-exclusive
> username-as-common-name
> keepalive 2 10
> reneg-sec 0
> tls-auth /etc/openvpn/keys/ta.key 0
> plugin /usr/lib/openvpn/openvpn-auth-pam.so login
> cipher AES-256-CBC
> comp-lzo
> max-clients 13
>
> user ovpn-user
> group ovpn-user
>
> persist-key
> persist-tun
>
> status openvpn-status.log
> log-append /var/log/openvpn.log
> verb 6
> mute 5
> mute-replay-warnings


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 151BC03492E46E4CB8D479E42CEF78900119DE28@exchange. wtc.local">http://lists.debian.org/151BC03492E46E4CB8D479E42CEF78900119DE28@exchange. wtc.local
 
Old 09-03-2010, 06:45 PM
Keith Edmunds
 
Default Linux ARP bridging issues

On Fri, 3 Sep 2010 12:14:05 -0400, ross@wtccommunications.ca said:

> Up until sometime last week this thing ran absolutely fine.

So something changed last week. If you are absolutely certain no
configuration changes were made - and you might want to get someone else
to check that as well - then I'd suggest a faulty switch or similar.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100903194508.41de59ca@ws.midnighthax.com">http://lists.debian.org/20100903194508.41de59ca@ws.midnighthax.com
 

Thread Tools




All times are GMT. The time now is 10:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org