Re: IP Aliasing: IPs Switched?

[Lainee Scott]

--- On Thu, 11/20/08, Stephen Hemminger <shemminger@xxxxxxxxxx> wrote:

> From: Stephen Hemminger <shemminger@xxxxxxxxxx>
> Subject: Re: IP Aliasing: IPs Switched?
> To: "Lainee Scott" <laineescott@xxxxxxxxx>
> Cc: linux-net@xxxxxxxxxxxxxxx
> Date: Thursday, November 20, 2008, 11:52 AM
> On Thu, 20 Nov 2008 11:23:47 -0800 (PST)
> Lainee Scott <laineescott@xxxxxxxxx> wrote:
> 
> > Hi.  I recently inherited a 3 year old FreeBSD box
> running a firewall/
> > load balancer.  I attempted to replace it with an IP
> tables based firewall
> > running on openSuSE 10.3.  I encountered the following
> issue.  Any help
> > would be greatly appreciated.
> > 
> > The machine has 2 physical NIC cards with the
> following IPs:
> > 
> > Physical NIC 1:
> > ---------------
> > .11 (eth0)
> > .12 (eth0:1)
> > .13 (eth0:2)
> > 
> > Physical NIC 2:
> > ---------------
> > 192.168.1.1
> > 
> > Listening on .11 is DNS and on .12 is HTTP.  .13 was
> the IP used by
> > developers to access machines inside the firewall.  I
> didn't test this IP
> > extensively.
> > 
> > After we replaced the old firewall with this new one,
> everything ran fine
> > for 10 hours.  No issues.  After 10 hours, however,
> everything seemed to
> > stop responding.  As we dug in to investigate it
> turned out that .11 was
> > now responding to HTTP traffic and .12 was responding
> for DNS - essentially
> > .11 and .12 had switched.  We rebooted, tried a bunch
> of stuff and the
> > system never went back to responding to requests
> properly.  We eventually
> > fell back to the old machine.
> > 
> > [We ruled out issues with iptables rules because the
> firewall ran fine for
> > 10 hours with no issues and we cut out a lot of rules
> while testing during
> > the period when the machine was not responding
> properly.]
> > 
> > Physical NIC 1 is connected to a Cisco 2950 that
> services the public network.
> > Physical NIC 2 is connected to another Cisco 2950 that
> services our private
> > 192.168.1.0/24 network.
> > 
> > I've built a test network and replicated almost
> everything.  I cannot get
> > this issue to reproduce.  The one part I could not
> replicate was the use of
> > 2 Cisco 2950's.  I think I have a 2900/XL on the
> private network and some
> > NetGear for what would be the public network.
> > 
> > I've been reading everything about ARP Flux, ARP
> caches, IP aliasing and
> > related kernel config parameters, etc. but I can't
> seem to figure out where to
> > go next or get a definitive answer.
> > 
> > Any help would be greatly appreciated!
> > 
> > Thanks.
> 
> Linux uses weak host model, and BSD used strong host model.
> http://en.wikipedia.org/wiki/Host_model

Stephen, thanks for the reply.  I appreciate any help at this point, I'm still a bit stumped.  I did the following:

# cd /proc/sys/net/ipv4/conf/
# find . -name rp_filter
./all/rp_filter
./default/rp_filter
./lo/rp_filter
./eth0/rp_filter
./eth1/rp_filter

cat-ing each file in the exact order shown above produces these rules:
1
0
0
0
0

rp_filter is set to 1 for all.  0 for the rest.  I believe there are 3 settings for rp_filter - 0, 1, 2.  Is 1 what you want to see it set to to potentially address my issue?  Should any of the settings above be changed?

Also, I did not explicitly add routes for the aliased interfaces like this:

/sbin/route add -host 172.16.3.10 dev eth0:0
/sbin/route add -host 172.16.3.100 dev eth0:1

(cut and pasted from this FAQ http://www.faqs.org/docs/Linux-mini/IP-Alias.html)

Might this be the issue?  Do I need to add these?

Thanks!


      
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html