| View previous topic :: View next topic |
| Author |
Message |
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
 Posted: Mon Aug 06, 2012 8:24 pm Post subject: [solved] Routing using iproute2 fwmark to Squid machine |
 |
|
I'm trying to attempt to set up a Squid proxy doing transparent proxying (interception) on a machine different from the router.
I have attempted two guides http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute and http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.squid.html which essentially say the same thing.
The issue I'm having is that I see the packets being marked on my router but the browser just times out. What could I be missing in the chain? The iptables on the Squid machine never counts up.
Router:
| Quote: | # ip rule show
0: from all lookup local
32765: from all fwmark 0x2 lookup www
32766: from all lookup main
32767: from all lookup default
# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1945 packets, 221K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 768 packets, 59889 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 150 packets, 18183 bytes)
pkts bytes target prot opt in out source destination
1021 73485 MASQUERADE all -- any eth0 anywhere anywhere
# iptables -t mangle -v -L -n
Chain PREROUTING (policy ACCEPT 9362 packets, 2184K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.0.0.137 0.0.0.0/0 tcp dpt:80
1469 239K MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK xset 0x2/0xffffffff
Chain INPUT (policy ACCEPT 5231 packets, 632K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 5611 packets, 1638K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2980 packets, 1034K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 8599 packets, 2673K bytes)
pkts bytes target prot opt in out source destination
# ip rule show
0: from all lookup local
32765: from all fwmark 0x2 lookup www
32766: from all lookup main
32767: from all lookup default
# ip route show table www
default via 10.0.0.137 dev br0 |
Squid machine:
| Quote: | # iptables -v -L -t nat -n
Chain PREROUTING (policy ACCEPT 811 packets, 161K bytes)
pkts bytes target prot opt in out source destination
3 140 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 311 packets, 46400 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 104 packets, 13553 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 104 packets, 13553 bytes)
pkts bytes target prot opt in out source destination |
Where br0 is the internal network interface on the router, the network is 10.0.0.0/24, and 10.0.0.137 is the IP of the Squid machine.
Thanks for the help!
_________________
- Mike A. Leonetti
Last edited by maiku on Wed Aug 08, 2012 2:30 am; edited 2 times in total |
|
| Back to top |
|
 |
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Mon Aug 06, 2012 9:08 pm Post subject: |
|
|
Is /proc/sys/net/ipv4/ip_forward enabled on the squid machine?
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
| Posted: Mon Aug 06, 2012 9:25 pm Post subject: |
|
|
Yes.
| Quote: | # cat /proc/sys/net/ipv4/ip_forward
1 |
_________________
- Mike A. Leonetti |
|
| Back to top |
|
|
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Mon Aug 06, 2012 10:05 pm Post subject: |
|
|
Could you tcpdump port 80 on your squid machine? Do packets arrive at it? Does squid send synacks as a response which are not acked back?
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
| Posted: Mon Aug 06, 2012 10:21 pm Post subject: |
|
|
Here is what happens | Quote: | # tcpdump port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel |
So it doesn't see any packets coming in.
What's a good filter to check to see the other things that you wanted the output for?
_________________
- Mike A. Leonetti |
|
| Back to top |
|
|
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Mon Aug 06, 2012 11:15 pm Post subject: |
|
|
The other output is not relevant, if there are no incoming packets. Something's wrong on the router, but I don't see it. Two questions:
1) Why do you use eth0 as output-interface for the MASQUERADE if br0 is the internet-connected interface?
2) Could you tcpdump port 80 on the router and see what it does with packets coming from a client (non-squid)?
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
| Posted: Tue Aug 07, 2012 12:48 am Post subject: |
|
|
| Quote: | | 1) Why do you use eth0 as output-interface for the MASQUERADE if br0 is the internet-connected interface? |
Thanks for pointing this out. br0 is the internal network interface. It's bonded with eth1 and tap0
/etc/conf.d/net | Quote: | modules=( "iproute2" )
config_eth0=( "dhcp" )
config_eth1=( "null" )
config_br0=( "10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255" )
tuntap_tap0="tap"
tunctl_tap0="-u mike"
config_tap0=( "null" )
mac_tap0="08:00:27:ce:16:e2"
bridge_br0="eth1 tap0"
depend_br0()
{
need net.eth1
need net.tap0
}
brctl_br0=( "setfd 0" "sethello 0" "stp off" ) |
eth0 is the Internet interface. | Quote: | | 2) Could you tcpdump port 80 on the router and see what it does with packets coming from a client (non-squid)? |
Of course. Here is what it says: | Quote: | # tcpdump -n -i br0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 68 bytes
20:43:11.697788 IP 10.0.0.114.50468 > 167.206.252.211.80: S 1555017621:1555017621(0) win 8192 <mss 1460,[|tcp]>
20:43:11.697823 IP 10.0.0.114.50468 > 167.206.252.211.80: S 1555017621:1555017621(0) win 8192 <mss 1460,[|tcp]>
20:43:11.699952 IP 10.0.0.114.50469 > 173.194.43.4.80: S 424295768:424295768(0) win 8192 <mss 1460,[|tcp]>
20:43:11.699964 IP 10.0.0.114.50469 > 173.194.43.4.80: S 424295768:424295768(0) win 8192 <mss 1460,[|tcp]>
20:43:11.848091 IP 10.0.0.114.50470 > 208.117.255.233.80: S 1399247553:1399247553(0) win 8192 <mss 1460,[|tcp]>
20:43:11.848104 IP 10.0.0.114.50470 > 208.117.255.233.80: S 1399247553:1399247553(0) win 8192 <mss 1460,[|tcp]>
20:43:11.947947 IP 10.0.0.114.50471 > 167.206.252.211.80: S 2971504092:2971504092(0) win 8192 <mss 1460,[|tcp]>
20:43:11.947959 IP 10.0.0.114.50471 > 167.206.252.211.80: S 2971504092:2971504092(0) win 8192 <mss 1460,[|tcp]>
20:43:11.950850 IP 10.0.0.114.50472 > 173.194.43.5.80: S 3236880166:3236880166(0) win 8192 <mss 1460,[|tcp]>
20:43:11.950861 IP 10.0.0.114.50472 > 173.194.43.5.80: S 3236880166:3236880166(0) win 8192 <mss 1460,[|tcp]>
20:43:13.477262 IP 10.0.0.114.50466 > 173.194.43.4.80: S 888719285:888719285(0) win 8192 <mss 1460,[|tcp]>
20:43:13.477295 IP 10.0.0.114.50466 > 173.194.43.4.80: S 888719285:888719285(0) win 8192 <mss 1460,[|tcp]>
20:43:13.506513 IP 10.0.0.114.50473 > 199.15.176.161.80: S 3291869895:3291869895(0) win 8192 <mss 1460,[|tcp]>
20:43:13.506533 IP 10.0.0.114.50473 > 199.15.176.161.80: S 3291869895:3291869895(0) win 8192 <mss 1460,[|tcp]>
20:43:13.727259 IP 10.0.0.114.50467 > 173.194.43.5.80: S 2188350595:2188350595(0) win 8192 <mss 1460,[|tcp]>
20:43:13.727270 IP 10.0.0.114.50467 > 173.194.43.5.80: S 2188350595:2188350595(0) win 8192 <mss 1460,[|tcp]>
20:43:13.760380 IP 10.0.0.114.50474 > 199.15.176.161.80: S 2983000469:2983000469(0) win 8192 <mss 1460,[|tcp]>
20:43:13.760394 IP 10.0.0.114.50474 > 199.15.176.161.80: S 2983000469:2983000469(0) win 8192 <mss 1460,[|tcp]>
20:43:14.687326 IP 10.0.0.114.50468 > 167.206.252.211.80: S 1555017621:1555017621(0) win 8192 <mss 1460,[|tcp]>
20:43:14.687347 IP 10.0.0.114.50468 > 167.206.252.211.80: S 1555017621:1555017621(0) win 8192 <mss 1460,[|tcp]>
20:43:14.701242 IP 10.0.0.114.50469 > 173.194.43.4.80: S 424295768:424295768(0) win 8192 <mss 1460,[|tcp]>
20:43:14.701252 IP 10.0.0.114.50469 > 173.194.43.4.80: S 424295768:424295768(0) win 8192 <mss 1460,[|tcp]>
20:43:14.837449 IP 10.0.0.114.50470 > 208.117.255.233.80: S 1399247553:1399247553(0) win 8192 <mss 1460,[|tcp]>
20:43:14.837460 IP 10.0.0.114.50470 > 208.117.255.233.80: S 1399247553:1399247553(0) win 8192 <mss 1460,[|tcp]>
20:43:14.947336 IP 10.0.0.114.50471 > 167.206.252.211.80: S 2971504092:2971504092(0) win 8192 <mss 1460,[|tcp]>
20:43:14.947347 IP 10.0.0.114.50471 > 167.206.252.211.80: S 2971504092:2971504092(0) win 8192 <mss 1460,[|tcp]>
20:43:14.951358 IP 10.0.0.114.50472 > 173.194.43.5.80: S 3236880166:3236880166(0) win 8192 <mss 1460,[|tcp]>
20:43:14.951367 IP 10.0.0.114.50472 > 173.194.43.5.80: S 3236880166:3236880166(0) win 8192 <mss 1460,[|tcp]>
20:43:15.030625 IP 10.0.0.114.50465 > 167.206.252.211.80: S 3551438148:3551438148(0) win 8192 <mss 1460,[|tcp]>
20:43:15.030636 IP 10.0.0.114.50465 > 167.206.252.211.80: S 3551438148:3551438148(0) win 8192 <mss 1460,[|tcp]>
20:43:16.501401 IP 10.0.0.114.50473 > 199.15.176.161.80: S 3291869895:3291869895(0) win 8192 <mss 1460,[|tcp]>
20:43:16.501420 IP 10.0.0.114.50473 > 199.15.176.161.80: S 3291869895:3291869895(0) win 8192 <mss 1460,[|tcp]>
20:43:16.759361 IP 10.0.0.114.50474 > 199.15.176.161.80: S 2983000469:2983000469(0) win 8192 <mss 1460,[|tcp]>
20:43:16.759372 IP 10.0.0.114.50474 > 199.15.176.161.80: S 2983000469:2983000469(0) win 8192 <mss 1460,[|tcp]>
20:43:18.661133 IP 10.0.0.114.50475 > 199.15.176.161.80: S 1423662568:1423662568(0) win 8192 <mss 1460,[|tcp]>
20:43:18.661503 IP 10.0.0.114.50475 > 199.15.176.161.80: S 1423662568:1423662568(0) win 8192 <mss 1460,[|tcp]>
20:43:18.937918 IP 74.125.0.233.80 > 10.0.0.114.50448: F 408880240:408880240(0) ack 118804758 win 126
20:43:18.938869 IP 10.0.0.114.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:18.938881 IP 24.190.198.155.50448 > 74.125.0.233.80: . ack 408880241 win 4242
20:43:18.939072 IP 10.0.0.114.50448 > 74.125.0.233.80: F 1:1(0) ack 1 win 4242
20:43:18.939081 IP 24.190.198.155.50448 > 74.125.0.233.80: F 0:0(0) ack 1 win 4242
20:43:18.986592 IP 10.0.0.114.50427 > 72.247.146.170.80: R 120961098:120961098(0) ack 2051800279 win 0
20:43:18.986605 IP 24.190.198.155.50427 > 72.247.146.170.80: R 120961098:120961098(0) ack 2051800279 win 0
20:43:19.202839 IP 74.125.0.233.80 > 10.0.0.114.50448: F 0:0(0) ack 1 win 126
20:43:19.203609 IP 10.0.0.114.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:19.203619 IP 24.190.198.155.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:19.238622 IP 10.0.0.114.50448 > 74.125.0.233.80: F 1:1(0) ack 1 win 4242
20:43:19.238632 IP 24.190.198.155.50448 > 74.125.0.233.80: F 0:0(0) ack 1 win 4242
20:43:19.328390 IP 10.0.0.114.50476 > 173.194.43.4.80: S 4177287228:4177287228(0) win 8192 <mss 1460,[|tcp]>
20:43:19.328403 IP 10.0.0.114.50476 > 173.194.43.4.80: S 4177287228:4177287228(0) win 8192 <mss 1460,[|tcp]>
20:43:19.477922 IP 10.0.0.114.50466 > 173.194.43.4.80: S 888719285:888719285(0) win 8192 <mss 1460,[|tcp]>
20:43:19.477934 IP 10.0.0.114.50466 > 173.194.43.4.80: S 888719285:888719285(0) win 8192 <mss 1460,[|tcp]>
20:43:19.581020 IP 10.0.0.114.50477 > 173.194.43.5.80: S 3228853017:3228853017(0) win 8192 <mss 1460,[|tcp]>
20:43:19.581034 IP 10.0.0.114.50477 > 173.194.43.5.80: S 3228853017:3228853017(0) win 8192 <mss 1460,[|tcp]>
20:43:19.730776 IP 10.0.0.114.50467 > 173.194.43.5.80: S 2188350595:2188350595(0) win 8192 <mss 1460,[|tcp]>
20:43:19.730788 IP 10.0.0.114.50467 > 173.194.43.5.80: S 2188350595:2188350595(0) win 8192 <mss 1460,[|tcp]>
20:43:19.733113 IP 74.125.0.233.80 > 10.0.0.114.50448: F 0:0(0) ack 1 win 126
20:43:19.734171 IP 10.0.0.114.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:19.734181 IP 24.190.198.155.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:19.838625 IP 10.0.0.114.50448 > 74.125.0.233.80: F 1:1(0) ack 1 win 4242
20:43:19.838635 IP 24.190.198.155.50448 > 74.125.0.233.80: F 0:0(0) ack 1 win 4242
20:43:20.687728 IP 10.0.0.114.50468 > 167.206.252.211.80: S 1555017621:1555017621(0) win 8192 <mss 1460,[|tcp]>
20:43:20.687740 IP 10.0.0.114.50468 > 167.206.252.211.80: S 1555017621:1555017621(0) win 8192 <mss 1460,[|tcp]>
20:43:20.703969 IP 10.0.0.114.50469 > 173.194.43.4.80: S 424295768:424295768(0) win 8192 <mss 1460,[|tcp]>
20:43:20.703978 IP 10.0.0.114.50469 > 173.194.43.4.80: S 424295768:424295768(0) win 8192 <mss 1460,[|tcp]>
20:43:20.793180 IP 74.125.0.233.80 > 10.0.0.114.50448: F 0:0(0) ack 1 win 126
20:43:20.803599 IP 10.0.0.114.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:20.803608 IP 24.190.198.155.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:20.838597 IP 10.0.0.114.50470 > 208.117.255.233.80: S 1399247553:1399247553(0) win 8192 <mss 1460,[|tcp]>
20:43:20.838606 IP 10.0.0.114.50470 > 208.117.255.233.80: S 1399247553:1399247553(0) win 8192 <mss 1460,[|tcp]>
20:43:20.948791 IP 10.0.0.114.50471 > 167.206.252.211.80: S 2971504092:2971504092(0) win 8192 <mss 1460,[|tcp]>
20:43:20.948801 IP 10.0.0.114.50471 > 167.206.252.211.80: S 2971504092:2971504092(0) win 8192 <mss 1460,[|tcp]>
20:43:20.953930 IP 10.0.0.114.50472 > 173.194.43.5.80: S 3236880166:3236880166(0) win 8192 <mss 1460,[|tcp]>
20:43:20.953939 IP 10.0.0.114.50472 > 173.194.43.5.80: S 3236880166:3236880166(0) win 8192 <mss 1460,[|tcp]>
20:43:21.038729 IP 10.0.0.114.50448 > 74.125.0.233.80: F 1:1(0) ack 1 win 4242
20:43:21.038741 IP 24.190.198.155.50448 > 74.125.0.233.80: F 0:0(0) ack 1 win 4242
20:43:21.658721 IP 10.0.0.114.50475 > 199.15.176.161.80: S 1423662568:1423662568(0) win 8192 <mss 1460,[|tcp]>
20:43:21.658733 IP 10.0.0.114.50475 > 199.15.176.161.80: S 1423662568:1423662568(0) win 8192 <mss 1460,[|tcp]>
20:43:22.081346 IP 10.0.0.114.50421 > 23.66.188.20.80: F 376300575:376300575(0) ack 282353748 win 4263
20:43:22.081399 IP 24.190.198.155.50421 > 23.66.188.20.80: F 376300575:376300575(0) ack 282353748 win 4263
20:43:22.331167 IP 10.0.0.114.50476 > 173.194.43.4.80: S 4177287228:4177287228(0) win 8192 <mss 1460,[|tcp]>
20:43:22.331198 IP 10.0.0.114.50476 > 173.194.43.4.80: S 4177287228:4177287228(0) win 8192 <mss 1460,[|tcp]>
20:43:22.380791 IP 10.0.0.114.50421 > 23.66.188.20.80: F 0:0(0) ack 1 win 4263
20:43:22.380805 IP 24.190.198.155.50421 > 23.66.188.20.80: F 0:0(0) ack 1 win 4263
20:43:22.500832 IP 10.0.0.114.50473 > 199.15.176.161.80: S 3291869895:3291869895(0) win 8192 <mss 1460,[|tcp]>
20:43:22.500842 IP 10.0.0.114.50473 > 199.15.176.161.80: S 3291869895:3291869895(0) win 8192 <mss 1460,[|tcp]>
20:43:22.580968 IP 10.0.0.114.50477 > 173.194.43.5.80: S 3228853017:3228853017(0) win 8192 <mss 1460,[|tcp]>
20:43:22.580978 IP 10.0.0.114.50477 > 173.194.43.5.80: S 3228853017:3228853017(0) win 8192 <mss 1460,[|tcp]>
20:43:22.759861 IP 10.0.0.114.50474 > 199.15.176.161.80: S 2983000469:2983000469(0) win 8192 <mss 1460,[|tcp]>
20:43:22.759871 IP 10.0.0.114.50474 > 199.15.176.161.80: S 2983000469:2983000469(0) win 8192 <mss 1460,[|tcp]>
20:43:22.912809 IP 74.125.0.233.80 > 10.0.0.114.50448: F 0:0(0) ack 1 win 126
20:43:22.916009 IP 10.0.0.114.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:22.916019 IP 24.190.198.155.50448 > 74.125.0.233.80: . ack 1 win 4242
20:43:22.983808 IP 10.0.0.114.50421 > 23.66.188.20.80: F 0:0(0) ack 1 win 4263
20:43:22.983819 IP 24.190.198.155.50421 > 23.66.188.20.80: F 0:0(0) ack 1 win 4263
20:43:23.439105 IP 10.0.0.114.50448 > 74.125.0.233.80: F 1:1(0) ack 1 win 4242
20:43:23.439123 IP 24.190.198.155.50448 > 74.125.0.233.80: F 0:0(0) ack 1 win 4242
20:43:24.183938 IP 10.0.0.114.50421 > 23.66.188.20.80: F 0:0(0) ack 1 win 4263
20:43:24.183967 IP 24.190.198.155.50421 > 23.66.188.20.80: F 0:0(0) ack 1 win 4263
20:43:26.584122 IP 10.0.0.114.50421 > 23.66.188.20.80: F 0:0(0) ack 1 win 4263
20:43:26.584482 IP 24.190.198.155.50421 > 23.66.188.20.80: F 0:0(0) ack 1 win 4263
^C
101 packets captured
101 packets received by filter
0 packets dropped by kernel |
I hope this helps.
_________________
- Mike A. Leonetti |
|
| Back to top |
|
|
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Tue Aug 07, 2012 8:38 am Post subject: |
|
|
The lines in your last dump come always in pairs, so packets are routed out on the same interface, as one should expect. If you do that dump again with "tcpdump -nei br0 port 80", what destination MAC address do you see for the second packet of every pair? It should be the squid's, but then squid's tcpdump should show something ...
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
| Posted: Tue Aug 07, 2012 1:33 pm Post subject: |
|
|
Aha. There's the problem then. | Quote: | # tcpdump -nei br0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 68 bytes
09:24:53.351661 00:23:14:52:9f:18 > 00:1a:4d:74:fc:b8, ethertype IPv4 (0x0800), length 62: 10.0.0.114.49256 > 64.50.236.214.80: S 1097699395:1097699395(0) win 8192 <mss 1460,[|tcp]>
09:24:53.351683 00:1a:4d:74:fc:b8 > 00:23:14:52:9f:18, ethertype IPv4 (0x0800), length 62: 10.0.0.114.49256 > 64.50.236.214.80: S 1097699395:1097699395(0) win 8192 <mss 1460,[|tcp]>
09:24:53.601315 00:23:14:52:9f:18 > 00:1a:4d:74:fc:b8, ethertype IPv4 (0x0800), length 62: 10.0.0.114.49257 > 128.61.111.9.80: S 2059325472:2059325472(0) win 8192 <mss 1460,[|tcp]>
09:24:53.601329 00:1a:4d:74:fc:b8 > 00:23:14:52:9f:18, ethertype IPv4 (0x0800), length 62: 10.0.0.114.49257 > 128.61.111.9.80: S 2059325472:2059325472(0) win 8192 <mss 1460,[|tcp]>
09:24:54.040046 00:23:14:52:9f:18 > 00:1a:4d:74:fc:b8, ethertype IPv4 (0x0800), length 66: 10.0.0.114.49258 > 174.36.85.72.80: S 731750150:731750150(0) win 8192 <mss 1460,[|tcp]>
09:24:54.040069 00:1a:4d:74:fc:b8 > 00:23:14:52:9f:18, ethertype IPv4 (0x0800), length 66: 10.0.0.114.49258 > 174.36.85.72.80: S 731750150:731750150(0) win 8192 <mss 1460,[|tcp]> |
00:23:14:52:9f:18 is the MAC of the laptop making the request. 00:1a:4d:74:fc:b8 is br0. 00:0c:29:83:56:64 which is the MAC of the Squid machine never appears in the dump.
It continues like this before timing out. So the issue is on the routing end then?
_________________
- Mike A. Leonetti |
|
| Back to top |
|
|
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Tue Aug 07, 2012 3:33 pm Post subject: |
|
|
What the heck...
How does the router's arp cache look like? Does the router know that it is using the laptop as next hop? Do you happen to have any ebtables rules?
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
| Posted: Tue Aug 07, 2012 3:59 pm Post subject: |
|
|
Ah. Details I forgot to mention: | Quote: | # arp
Address HWtype HWaddress Flags Mask Iface
10.0.0.114 ether 00:23:14:52:9f:18 C br0
10.0.0.137 ether 00:23:14:52:9f:18 C br0
ool-18bec001.dyn.optonl ether 50:3d:e5:0c:00:da C eth0 |
10.0.0.114 is the laptop, 10.0.0.137 is the Squid machine and it is also a virtual machine on the laptop. I guess that explains the mystery there of why it's sending packets back to the laptop.
Manually adding the MAC address of the virtual machine does make it unreachable. I guess that's to be expected. Is there anything that I can do in this circumstance to get around this?
_________________
- Mike A. Leonetti |
|
| Back to top |
|
|
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Tue Aug 07, 2012 4:17 pm Post subject: |
|
|
Virtual machines have their own macs if they are bridged to the host's network interface. Which virtualization software do you use? You should try to get an individual mac for your VM first.
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
| Posted: Tue Aug 07, 2012 4:33 pm Post subject: |
|
|
I'm using VMware player on windows 7. I am using a bridged interface and the system believes that it is using a different MAC than the host system. The VM shows a different MAC. In fact, the router also sees that MAC when assigning DHCP and shows it in the logs.
Any ideas on that one?
_________________
- Mike A. Leonetti |
|
| Back to top |
|
|
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Tue Aug 07, 2012 6:19 pm Post subject: |
|
|
Not really an idea, no. I would flush the arp cache and tcpdump for an event which causes the mac address reassignment. As long as the router uses the VM's mac address, your setup should work. You could also try to set the arp entry permanently and see how long that works. What happens if you arping the VM, btw?
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
| Posted: Tue Aug 07, 2012 7:50 pm Post subject: |
|
|
Wow. This is such an amazing mystery.
The host system (Windows) see the correct MAC address | Quote: | | 10.0.0.137 00-50-56-25-58-2d dynamic |
arping from the router shows the wrong info | Quote: | # arping -I br0 10.0.0.137
ARPING 10.0.0.137 from 10.0.0.1 br0
Unicast reply from 10.0.0.137 [00:23:14:52:9F:18] 2.538ms
Unicast reply from 10.0.0.137 [00:23:14:52:9F:18] 4.357ms |
Other machines on the network recognize it as the wrong MAC address (as the same MAC as the host which is 00:23:14:52:9F:18).
Then the router is also told the wrong MAC | Quote: | 15:09:25.440473 00:1a:4d:74:fc:b8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 10.0.0.137 tell 10.0.0.1
15:09:25.442510 00:23:14:52:9f:18 > 00:1a:4d:74:fc:b8, ethertype ARP (0x0806), length 60: arp reply 10.0.0.137 is-at 00:23:14:52:9f:18 |
Is VMWare just being garbage?
Setting the MAC manually just causes it to become unreachable. | Quote: | # arp
Address HWtype HWaddress Flags Mask Iface
10.0.0.137 ether 00:50:56:25:58:2d CM br0
# ping 10.0.0.137
PING 10.0.0.137 (10.0.0.137) 56(84) bytes of data.
^C
--- 10.0.0.137 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
# arping -I br0 10.0.0.137
ARPING 10.0.0.137 from 10.0.0.1 br0
Unicast reply from 10.0.0.137 [00:23:14:52:9F:18] 2.545ms
Unicast reply from 10.0.0.137 [00:23:14:52:9F:18] 2.964ms
^CSent 2 probes (1 broadcast(s))
Received 2 response(s) |
This is ridiculous.
_________________
- Mike A. Leonetti |
|
| Back to top |
|
|
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Tue Aug 07, 2012 7:56 pm Post subject: |
|
|
Is your laptop online via WiFi? There might be a problem that the mac address cannot be changed for a WLAN interface.
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
maiku
Guru
Joined: 24 Mar 2004
Posts: 498
Location: Long Island, NY
|
| Posted: Wed Aug 08, 2012 2:30 am Post subject: |
|
|
| papahuhn wrote: | | Is your laptop online via WiFi? There might be a problem that the mac address cannot be changed for a WLAN interface. |
This was a very intuitive answer. You are very smart.
You're right. That is the issue. When switching to hard wire it works fine. I mean EVERYTHING works fine. This is solved.
Thanks so much.
_________________
- Mike A. Leonetti |
|
| Back to top |
|
|
papahuhn
Guru
Joined: 06 Sep 2004
Posts: 554
|
| Posted: Wed Aug 08, 2012 4:15 pm Post subject: |
|
|
This is nice to hear.
So long.
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
