Re: multiple interfaces act like proxy arp is on

On Wed, 02 May 2007 09:37:19 +0200 Rainer Weikusat <rweikusat@xxxxxxxxxxx> wrote:
| phil-news-nospam@xxxxxxxx writes:
|> I have a computer with 3 ethernet interfaces. All 3 are on the same subnet
|> but have different IP addresses. I do not have proxy ARP on. Yet, when I
|> ping (from another machine on the same switch) any of the 3 IP addresses,
|> I get an ARP answer (when needed) and ping responses for each, but always
|> with the MAC address of the first interface.
|
| This is the default behaviour of the Linux IP code, cf
|
| arp_filter - BOOLEAN
|
| [...]
|
| 0 - (default) The kernel can respond to arp requests with addresses
| from other interfaces. This may seem wrong but it usually makes
| sense, because it increases the chance of successful communication.

In actuality, it can cause communication to fail. It would be better to
use the MAC address of the interface with that IP address.


| IP addresses are owned by the complete host on Linux, not by
| particular interfaces. Only for more complex setups like load-
| balancing, does this behaviour cause problems.

These tend to be the setups where one would have multiple addresses. For
"system wide" IP addresses, one can put alias addresses on interface "lo".


| (../linux/Documentation/networking/ip-sysctl.txt)

Seems to me to be justification of what I still insist is a strange behaviour
that at least some past version of Linux did not do, and some other OSes do
not do (because I've done this in the past on other systems like Solaris, and
also on Cisco routers, to create reliable fallback methods).


| Another setup where this cause serious problems is if a couple of
| 'firewall' devices are connected to the same 'outside' physical
| network and use the same 'internal' IP network on their 'inside' sides
| -- the kernel will then answer to ARP requests for the internal IP
| coming in from outside.

This might explain some problems people have had with Linux based firewalls,
that I've seen discussed online, that never got resolved. Looks like I will
have to look into writing a patch to the kernel (but I don't have time for
that for the current project).

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-05-02-1311@xxxxxxxx |
|------------------------------------/-------------------------------------|
.

Relevant Pages