Re: arping confusion multi-homed private networks

On Feb 19, 12:16 pm, percy.m...@xxxxxxxxx wrote:

You are missing the point. The point is that you have two machines
with the same IP address connected to each other.

Two firewalls connect to each other on the public side (eth0) and both
happen to decide to use 192.168.1.1 on the private side (eth1) do not
cause this problem.

Right, that's because (we hope) they're properly configured to NAT/
hide the 192.168.1.x addresses. This configuration includes hiding its
own address.

It's not a problem with having the same IP address
on two machines, it has to do with not having full separation between
the different networks. I had thought that by not having forwarding
enabled, there was no need to concern myself with the arp tables.

Full separation requires something akin to NAT.

What would happen if one of the machines decided to contact the other
machine using, as a source address, an address the other machine also
had assigned to it?

Not gonna spontaneously decide to do so. Traffic to the private
network will be sent to that interface, using that interface's primary
address, because it fits the netmask. Same for the public side. The
arps would not be routed through. I figure with forwarding turn off,
there's no routing either. Except for arp, it seems.

This is one of those "fix everything that happens to break"
approaches. It's not a good idea, because you never know when
something else will decide to break. Fix it so that it isn't broken is
the correct approach.

Basic statement of my problem I guess: I assume that forwarding off
implies routing is off, so should behave much like having the firewall
at full-stop between the interfaces.

That's not the problem. The problem has nothing to do with routing.
The problem is that you have two machines with the same IP address
connected to each other. You need to properly configure NAT so that
the machine *cannot* source a packet with a source address onto a
network on which that source address is invalid.

*If* source address X is not valid on network Y, then packets with
source address X must not be sent on network Y. You can stop this with
firewalling, NAT, or some other method. But ARP is just a symptom of
the problem.

DS
.

Relevant Pages

  • Re: Joining subnets
    ... Find a real news server. ... Kernel IP routing table ... By using nat, I do not have to worry about routing ... to the lan network from the servers. ...
    (comp.os.linux.networking)
  • System Freeze w/ IPNAT
    ... We have a box doing routing and NAT using IPNAT that freezes up after a couple ... What we are doing is just Nat'ing a portion of the network ...
    (freebsd-questions)
  • Re: LAN to LAN Routing
    ... No I am not using NAT, just trying to setup simple routing.. ... >> the 'B' network as part of a migration. ...
    (microsoft.public.win2000.ras_routing)
  • ARP MESSAGES FILLING CONSOLE
    ... I have several BSD based servers which are multi-hone (Two Nics) one Nic faces the internet, the other faces a PRIVATE IP subnet and wireless DMZ. ... However since the internet router is also the end point for the wireless DMZ I get a barrage of ARP messages indicating the the private nic is receiving ARP for the public network and vice versa. ... PRIVATE 192.168.100.24 (NAT IP for PC etc) ...
    (freebsd-isp)
  • Routing and Remote Access
    ... How can I set up a Windows 2000 Server running Routing and Remote Access ... service to be both a VPN server and implement NAT between a private network ... that fall in to two categories; 1) Net B clients that must establish a VPN ...
    (microsoft.public.win2000.networking)