[Swan-dev] xauth and proxy arp
tis at foobar.fi
Wed Apr 29 13:45:17 EEST 2015
On Wed, 29 Apr 2015 10:58:53 +0200
Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
> The proxy arp entry is for the local address the client gets.
Ok. I misunderstood your user case.
I think this is too complicated solution for the problem.
Simple one is to enable sysctl option for proxy_arp for lan interface
if you use pool which is part of lan network.
If you have eth1 as lan network interface you could do:
sysctl -w net.ipv4.conf.eth1.proxy_arp=1
When this is activated, kernel does automatically proxy arp on eth1 if
there is more specific route on different interface.
> When your local net is 220.127.116.11/24 and the client for example gets
> an ip adress from this range, you need a proxy arp entry to
> communicate with other local clients.
> The script check if the client ip is routable on local ethernet
> devices and add a proxy arp entry.
> Normally this is PLUTO_PEER_CLIENT, but PLUTO_PEER_CLIENT_NET has the
> correct ip without /32 mask.
This way to do proxyarp I described works for cases where you have
192.168.0.32/27 behind eth2 and 192.168.0.0/24 behind eth1. Packets
from 192.168.0.32/27 hosts use default route to 192.168.0.0/24 and eth1
automatic proxyarp causes router to answer with proxy arp causing
response packets to work or rest of 192.168.0.0/24. Note, with this
setup 192.168.0.32/27 can't be used in 192.168.0.0/24 network. This
proxyarp based subnetting is called variable lenght net masks (VLNM) on
Could you try with this, I'm sure this is better solution than hacking
forced proxyarp to _updown.*
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Swan-dev