MiO Posted May 6, 2014 (edited) · Report post Уважаемые! чтобы всё было понятно в приложении скрин с описанием сети: есть 2 сервера PPPOE и 1 PPTP на которых авторизуются абоненты, внутри абоненты ходят по OSPF, появился сервер TV (unicast поток), как основной шлюз на нём указан 1 сервер PPPOE и он получает команду вида: Redirect Host(New nexthop: 192......) и всё работает хорошо, до того момента пока абонент не перескочит с одного сервера на другой, после этого абонент не видит то что транслирует сервер пока с абонента или с сервера TV не запустить пинг до абонента (или от абонента до сервера), после этого всё сразу восстанавливается. вопрос, что сделано не так? Edited May 6, 2014 by MiO Share this post Link to post Share on other sites
bos9 Posted May 7, 2014 · Report post Нет идей, что за проблема, но может попробовать отказаться от icmp redirect и включать сервер TV в ospf? Share this post Link to post Share on other sites
MiO Posted May 7, 2014 · Report post мне бы разобраться :) вопрос 2, как в linux ubuntu правильно полностью очистить arp таблицу? Share this post Link to post Share on other sites
Вовик Posted May 7, 2014 (edited) · Report post вопрос 2, как в linux ubuntu правильно полностью очистить arp таблицу? Как и в любом другом линуксе: man arp arp -h arp -an | cut -d ' ' -f2 | tr -d '()' | while read IP ; do arp -d $IP ; done Edited May 7, 2014 by Вовик Share this post Link to post Share on other sites
bos9 Posted May 7, 2014 · Report post ip neigh flush dev eth0 Share this post Link to post Share on other sites
MiO Posted May 7, 2014 · Report post какая из настроек могла повлиять на такое поведение? # Do not accept IP source route packets (we are not a router) net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) net.ipv4.conf.all.send_redirects=0 Share this post Link to post Share on other sites
bos9 Posted May 7, 2014 · Report post какая из настроек могла повлиять на такое поведение? # Do not accept IP source route packets (we are not a router) net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) net.ipv4.conf.all.send_redirects=0 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt с какого из серверов этот конфиг? Share this post Link to post Share on other sites
bos9 Posted May 7, 2014 · Report post Странно как оно у вас вообще работает... accept_redirects - BOOLEAN Accept ICMP redirect messages. accept_redirects for the interface will be enabled if: - both conf/{all,interface}/accept_redirects are TRUE in the case forwarding for the interface is enabled or - at least one of conf/{all,interface}/accept_redirects is TRUE in the case forwarding for the interface is disabled accept_redirects for the interface will be disabled otherwise default TRUE (host) FALSE (router) forwarding - BOOLEAN Enable IP forwarding on this interface. sysctl -a | grep accept_redirect sysctl -a | grep forwarding Share this post Link to post Share on other sites
MiO Posted May 7, 2014 (edited) · Report post :~$ sysctl -a | grep accept_redirect net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 1 net.ipv4.conf.eth0.accept_redirects = 1 net.ipv4.conf.eth1.accept_redirects = 1 net.ipv4.conf.eth2.accept_redirects = 1 net.ipv4.conf.eth3.accept_redirects = 1 net.ipv4.conf.lo.accept_redirects = 1 error: permission denied on key 'net.ipv4.route.flush' net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 1 net.ipv6.conf.eth0.accept_redirects = 1 net.ipv6.conf.eth1.accept_redirects = 1 net.ipv6.conf.eth2.accept_redirects = 1 net.ipv6.conf.eth3.accept_redirects = 1 net.ipv6.conf.lo.accept_redirects = 1 error: permission denied on key 'net.ipv6.route.flush' error: permission denied on key 'vm.compact_memory' :~$ :~$ sysctl -a | grep forwarding error: permission denied on key 'fs.protected_hardlinks' error: permission denied on key 'fs.protected_symlinks' error: permission denied on key 'kernel.cad_pid' error: permission denied on key 'kernel.usermodehelper.bset' error: permission denied on key 'kernel.usermodehelper.inheritable' net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth1.forwarding = 0 net.ipv4.conf.eth1.mc_forwarding = 0 net.ipv4.conf.eth2.forwarding = 0 net.ipv4.conf.eth2.mc_forwarding = 0 net.ipv4.conf.eth3.forwarding = 0 net.ipv4.conf.eth3.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.lo.mc_forwarding = 0 error: permission denied on key 'net.ipv4.route.flush' error: permission denied on key 'net.ipv4.tcp_fastopen_key' net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.eth0.forwarding = 0 net.ipv6.conf.eth0.mc_forwarding = 0 net.ipv6.conf.eth1.forwarding = 0 net.ipv6.conf.eth1.mc_forwarding = 0 net.ipv6.conf.eth2.forwarding = 0 net.ipv6.conf.eth2.mc_forwarding = 0 net.ipv6.conf.eth3.forwarding = 0 net.ipv6.conf.eth3.mc_forwarding = 0 net.ipv6.conf.lo.forwarding = 0 net.ipv6.conf.lo.mc_forwarding = 0 error: permission denied on key 'net.ipv6.route.flush' error: permission denied on key 'vm.compact_memory' видимо работает по 1ому полученному маршруту... p.s. пока сделал "sysctl net.ipv4.conf.all.send_redirects=1" Edited May 7, 2014 by MiO Share this post Link to post Share on other sites
bos9 Posted May 7, 2014 · Report post нет все верно, должен принимать редиректы в такой конфигурации. может какие-то проблемы с route cache.. остается снифить траф до просветления ) эмулировать постоянно переключающегося клиента и смотреть шлют ли роутеры правильные icmp redirect и привильно ли реагирует на них изменениями в своем роут кэше сервер тв. Share this post Link to post Share on other sites
MiO Posted May 7, 2014 · Report post ну т.е. sysctl net.ipv4.conf.all.send_redirects=1 должно помочь? (было sysctl net.ipv4.conf.all.send_redirects=0) Share this post Link to post Share on other sites
bos9 Posted May 7, 2014 · Report post send_redirects должно быть включено на всех ваших роутерах кстати это уже вариант - у вас включен send_redirects на первом PPoE, а на остальных выключен, подходит под проблему ) Share this post Link to post Share on other sites
MiO Posted May 7, 2014 · Report post понял, тестирую Share this post Link to post Share on other sites
