Jump to content
Калькуляторы

arp задачка

Уважаемые!

 

чтобы всё было понятно в приложении скрин с описанием сети:

 

есть 2 сервера PPPOE и 1 PPTP на которых авторизуются абоненты, внутри абоненты ходят по OSPF, появился сервер TV (unicast поток), как основной шлюз на нём указан 1 сервер PPPOE и он получает команду вида: Redirect Host(New nexthop: 192......) и всё работает хорошо, до того момента пока абонент не перескочит с одного сервера на другой, после этого абонент не видит то что транслирует сервер пока с абонента или с сервера TV не запустить пинг до абонента (или от абонента до сервера), после этого всё сразу восстанавливается.

 

вопрос, что сделано не так?

 

TS2DNWZg.png

Edited by MiO

Share this post


Link to post
Share on other sites

Нет идей, что за проблема, но может попробовать отказаться от icmp redirect и включать сервер TV в ospf?

Share this post


Link to post
Share on other sites

мне бы разобраться :)

 

вопрос 2, как в linux ubuntu правильно полностью очистить arp таблицу?

Share this post


Link to post
Share on other sites

вопрос 2, как в linux ubuntu правильно полностью очистить arp таблицу?

Как и в любом другом линуксе:

man arp
arp -h

arp -an | cut -d ' ' -f2 | tr -d '()' | while read IP ; do arp -d $IP ; done

Edited by Вовик

Share this post


Link to post
Share on other sites

ip neigh flush dev eth0

Share this post


Link to post
Share on other sites

какая из настроек могла повлиять на такое поведение?

 

 

# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0

# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects=0

Share this post


Link to post
Share on other sites

какая из настроек могла повлиять на такое поведение?

 

 

# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0

# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects=0

 

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

с какого из серверов этот конфиг?

Share this post


Link to post
Share on other sites

Странно как оно у вас вообще работает...


accept_redirects - BOOLEAN
Accept ICMP redirect messages.
accept_redirects for the interface will be enabled if:
- both conf/{all,interface}/accept_redirects are TRUE in the case
  forwarding for the interface is enabled
or
- at least one of conf/{all,interface}/accept_redirects is TRUE in the
  case forwarding for the interface is disabled
accept_redirects for the interface will be disabled otherwise
default TRUE (host)
	FALSE (router)

forwarding - BOOLEAN
Enable IP forwarding on this interface.

 

sysctl -a | grep accept_redirect

sysctl -a | grep forwarding

Share this post


Link to post
Share on other sites

:~$ sysctl -a | grep accept_redirect
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.eth0.accept_redirects = 1
net.ipv4.conf.eth1.accept_redirects = 1
net.ipv4.conf.eth2.accept_redirects = 1
net.ipv4.conf.eth3.accept_redirects = 1
net.ipv4.conf.lo.accept_redirects = 1
error: permission denied on key 'net.ipv4.route.flush'
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 1
net.ipv6.conf.eth0.accept_redirects = 1
net.ipv6.conf.eth1.accept_redirects = 1
net.ipv6.conf.eth2.accept_redirects = 1
net.ipv6.conf.eth3.accept_redirects = 1
net.ipv6.conf.lo.accept_redirects = 1
error: permission denied on key 'net.ipv6.route.flush'
error: permission denied on key 'vm.compact_memory'
:~$

 

:~$ sysctl -a | grep forwarding
error: permission denied on key 'fs.protected_hardlinks'
error: permission denied on key 'fs.protected_symlinks'
error: permission denied on key 'kernel.cad_pid'
error: permission denied on key 'kernel.usermodehelper.bset'
error: permission denied on key 'kernel.usermodehelper.inheritable'
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth3.forwarding = 0
net.ipv4.conf.eth3.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
error: permission denied on key 'net.ipv4.route.flush'
error: permission denied on key 'net.ipv4.tcp_fastopen_key'
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth2.mc_forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth3.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
error: permission denied on key 'net.ipv6.route.flush'
error: permission denied on key 'vm.compact_memory'

 

 

видимо работает по 1ому полученному маршруту...

 

p.s. пока сделал "sysctl net.ipv4.conf.all.send_redirects=1"

Edited by MiO

Share this post


Link to post
Share on other sites

нет все верно, должен принимать редиректы в такой конфигурации.

может какие-то проблемы с route cache.. остается снифить траф до просветления ) эмулировать постоянно переключающегося клиента и смотреть шлют ли роутеры правильные icmp redirect и привильно ли реагирует на них изменениями в своем роут кэше сервер тв.

Share this post


Link to post
Share on other sites

ну т.е. sysctl net.ipv4.conf.all.send_redirects=1 должно помочь? (было sysctl net.ipv4.conf.all.send_redirects=0)

Share this post


Link to post
Share on other sites

send_redirects должно быть включено на всех ваших роутерах

 

кстати это уже вариант - у вас включен send_redirects на первом PPoE, а на остальных выключен, подходит под проблему )

Share this post


Link to post
Share on other sites

понял, тестирую

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this