ARP Problem - Please Help

Thu Jul 31 17:27:33 PDT 2003

"Company 2210" <company2210 at hotmail.com> writes:

>     My problem is this (and it's driving me nuts as I can't see the
> solution). I have two freebsd boxes acting as routers, the layout is like
> this:
> 
> 
> Clients (12.20.78.0/25) <----->(eth0) ROUTER A (eth1)<=======> (eth1) ROUTER
> B (eth0) <----> (12.20.65.69) Upstream ISP & Internet
> 
> Router A Configuration:
> 
> eth0: 12.20.78.1 Subnet 255.255.255.128
> eth1: 10.0.0.1 Subnet 255.255.255.0
> 
> Router B Configuration:
> 
> eth0: 12.20.65.70 Subnet 255.255.255.252
> eth1: 10.0.0.2 Subnet 255.255.255.0
> 
> 
> The private IP's denote an IPSEC VPN connection (Wireless) between ROUTER A
> & B, all the client PC's are on public IP's. Now, the VPN works perfectly,
> encrypting the packets over the wireless link, however ROUTER A's eth0
> interface does not appear in the arp -a lookup:
> 
> ? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 permanent [ethernet]
> ? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 [ethernet]
> ? (12.20.78.0) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet]
> ? (12.20.78.2) at 00:0c:cd:53:d9:f3 on eth0 [ethernet]
> ? (12.20.78.42) at 00:9a:17:90:d3:b4 on eth0 [ethernet]
> ? (12.20.78.52) at 00:2b:18:2e:22:21 on eth0 [ethernet]
> ? (12.20.78.127) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet]

Those look like entries for all the local nets...

> If I try and force the entry, I receive the following error:
> 
> routera# arp -s 12.20.78.1 00:0c:5d:e6:16:75
> set: can only proxy for 12.20.78.1

Router B shouldn't need that, because it isn't on that link, and
Router A shouldn't need it because it *is* 12.20.78.1.  What are you
trying to do?

> The big problem this is causing is that clients cannot ping the gateway, and
> it responds to no requests (i.e I can't ssh into it), but it still forwards
> packets perfectly. Basically it's like 12.20.78.1 was invisible. The other
> strange thing is, that if I ssh into ROUTER B and ping 12.20.78.1 I receive
> replies:

What host and gateway addresses are you referring to in the first
sentence, and why are you surprised by the second?

> routerb# ping 12.20.78.1
> PING 12.20.78.1 (12.20.78.1): 56 data bytes
> 64 bytes from 12.20.78.1: icmp_seq=0 ttl=64 time=3.577 ms
> 64 bytes from 12.20.78.1: icmp_seq=1 ttl=64 time=3.724 ms
> 64 bytes from 12.20.78.1: icmp_seq=2 ttl=64 time=3.817 ms
> ^C
> --- 12.20.78.1 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 3.577/3.706/3.817/0.099 ms
> 
> 
> The output of ROUTER B's arp table is displayed below:
> 
> ? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 [ethernet]
> ? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 permanent [ethernet]
> ? (12.20.65.69) at 00:d0:03:ba:bb:fc on eth0 [ethernet]
> 
> 
> I am completely at a loss as to how to get around this problem. Any help or
> advice would be really great as I've spend the past 3 days, and the floor is
> littered with tufts of hair ;) Just incase this is any help, this is the
> output from setkey -DP (For encrypting the packets across the 10.0.0.x link)
> on each router:
> 
> ROUTER A:
> 
> 0.0.0.0/0[any] 12.20.78.0/25[any] any
>         in ipsec
>         esp/tunnel/10.0.0.2-10.0.0.1/require
>         spid=2 seq=1 pid=778
>         refcnt=1
> 12.20.78.0/25[any] 0.0.0.0/0[any] any
>         out ipsec
>         esp/tunnel/10.0.0.1-10.0.0.2/require
>         spid=1 seq=0 pid=778
>         refcnt=1
> 
> ROUTER B:
> 
> 12.20.78.0/25[any] 0.0.0.0/0[any] any
>         in ipsec
>         esp/tunnel/10.0.0.1-10.0.0.2/require
>         spid=8 seq=1 pid=24377
>         refcnt=1
> 0.0.0.0/0[any] 12.20.78.0/25[any] any
>         out ipsec
>         esp/tunnel/10.0.0.2-10.0.0.1/require
>         spid=7 seq=0 pid=24377
>         refcnt=1

I don't really get the "eth0" nomenclature, anyway; I've seen it on
Linux, where the device type is abstracted behind a common name, but I
don't know what it means in a FreeBSD setup...