6

I have a problem on a Xen virtual machine (running latest Debian), when I try to configure a second failover IP address. OVH reports that my IP is misconfigured and they complaint they receive a massive quantity of ARP packets from this IPs, so they are going to block my IP unless I fix this issue.

I suspect there's a routing issue, but I don't know (and can't find any useful info on the provider's website, and their support doesn't provide me a valid solution, just bounce me to their online - useless - guides).

My /etc/network/interfaces look like this:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address AAA.AAA.AAA.AAA
    netmask 255.255.255.255
    broadcast AAA.AAA.AAA.AAA
    post-up route add 000.000.000.254 dev eth0
    post-up route add default default gw 000.000.000.254 dev eth0

# Secondary NIC
auto eth0:0
iface eth0:0 inet static
    address BBB.BBB.BBB.BBB
    netmask 255.255.255.255
    broadcast BBB.BBB.BBB.BBB

And the routing table is:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
000.000.000.254 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
0.0.0.0         000.000.000.254 0.0.0.0         UG    0      0        0 eth0

In these examples (true IP addresses are replaced by fake ones, guess why :)), 000.000.000.000 is my main server's IP address (dom0), 000.000.000.254 is the default gateway OVH recommends, AAA.AAA.AAA.AAA is the first IP Failover and BBB.BBB.BBB.BBB is the second one.

I need both AAA.AAA.AAA.AAA and BBB.BBB.BBB.BBB to be publicly reachable from Internet and point to my domU, and to be able to access Internet from inside the virtual machine (domU). I am using eth0 and eth0:0 because due to OVH support, I have to assign both IPs to the same MAC address and then create a virtual eth0:0 interface for the second IP.

Any suggestion? What am I doing wrong? How can I stop OVH complaining about ARP flood?

Many thanks in advance, DS

Dmitri Sologoubenko
  • 113
  • 1
  • 1
  • 8

2 Answers2

6

You do not need to define a broadcast address for secondary IP addresses.

Configuration for "failover" IP adresses is just the following :

# Secondary NIC
auto eth0:0
iface eth0:0 inet static
    address BBB.BBB.BBB.BBB
    netmask 255.255.255.XXX

Example from a live server :

auto eth0:0
iface eth0:0 inet static
    address 178.32.36.20
    netmask 255.255.255.0

On a side note, you are doing this the wrong/overly-complicated way. The simple way to do this is to associate a "Virtual Mac address" to your failover IP addresses. You will find this option in the services tab of your server in the OVH Manager. This allows you to just bridge all the virtual interfaces associated with the given virtual Mac addresses. This way you also don't have to worry about any routing. Simple as it gets.

EDIT : I just thought of something. Make sure you enable routing in you dom0 with net.ipv4.ip_forward=1.

EDIT2 : After your comment, I went and had a look at what OVH recommends to do and you should try it. This is featured in this forum post. I don't know if you understand French but what it says is to put the following in your domU's network configuration.

auto eth0
iface eth0 inet static
    address <IP FAILOVER>        # domU IP address
    netmask 255.255.255.255
    post-up /sbin/ip route add IP.of.your.dom0.254 dev eth0         # IP.of.your.dom0.254 = dom0's gateway
    post-up /sbin/ip route add default via IP.of.your.dom0.254

It seems to me like this would do the trick given that you are in bridged network configuration with virtual MAC addresses.

Antoine Benkemoun
  • 7,314
  • 3
  • 42
  • 60
  • Sorry, Antoine, thanks for your help (I really appreciate it), but this doesn't fix the problem. I also tried to add a second virtual NIC to my domU, with a MAC assigned by OVH to my second Failover IP, and configured eth1 on domU instead of eth0:0, but unless I add a gateway on a different routing table to eth1, I cannot ping my secondary IP. And if I do that, the ARP flood warnings start again... – Dmitri Sologoubenko Sep 02 '12 at 17:51
  • Just updated my post :) – Antoine Benkemoun Sep 02 '12 at 20:49
  • Hi Antoine, yes I have had a look to that in OVH (badly) translated to engish guides. In one of my attempts, I've added these post-up lines to my first IP on eth0, and after that I am able to ping my first IP; I believe they are exactly the same as using route (instead of ip route) as reported in my question. But I cannot setup a default gateway for the second IP on eth1, unless I use a different routing table (say 100) and a "ip rule from" my second IP. And even if I do so, OVH still complaints about ARP flood... :( I suppose I will ask their support to check my server and provide a solution. – Dmitri Sologoubenko Sep 03 '12 at 13:44
  • I know this may be not so smart but try to format your server and try again... Sometimes it helps and you just never know why. – Antoine Benkemoun Sep 04 '12 at 11:18
0

Incredible, but true: after have spoken to OVH support (which assessed not any problem with this configuration), and have restored the initial settings (re-associating IP Failover BBB.BBB.BBB.BBB to the same MAC Address as AAA.AAA.AAA.AAA) it now works fine!

Dmitri Sologoubenko
  • 113
  • 1
  • 1
  • 8