[Swan-dev] xauth and proxy arp

Tuomo Soini tis at foobar.fi
Wed Apr 29 13:45:17 EEST 2015

On Wed, 29 Apr 2015 10:58:53 +0200
Wolfgang Nothdurft <wolfgang at linogate.de> wrote:

> The proxy arp entry is for the local address the client gets.

Ok. I misunderstood your user case.

I think this is too complicated solution for the problem.

Simple one is to enable sysctl option for proxy_arp for lan interface
if you use pool which is part of lan network.

If you have eth1 as lan network interface you could do:

sysctl -w net.ipv4.conf.eth1.proxy_arp=1

When this is activated, kernel does automatically proxy arp on eth1 if
there is more specific route on different interface.

> When your local net is and the client for example gets
> an ip adress from this range, you need a proxy arp entry to
> communicate with other local clients.


> The script check if the client ip is routable on local ethernet
> devices and add a proxy arp entry.
> Normally this is PLUTO_PEER_CLIENT, but PLUTO_PEER_CLIENT_NET has the 
> correct ip without /32 mask.

This way to do proxyarp I described works for cases where you have behind eth2 and behind eth1. Packets
from hosts use default route to and eth1
automatic proxyarp causes router to answer with proxy arp causing
response packets to work or rest of Note, with this
setup can't be used in network. This
proxyarp based subnetting is called variable lenght net masks (VLNM) on
some documents.

Could you try with this, I'm sure this is better solution than hacking
forced proxyarp to _updown.*

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Swan-dev mailing list