I've ran into weird issue recently, with my CentOS machine (lets call it server). Server has the IP address 10.150.39.5. The thing is it replies to ARP requests with two MAC addresses, and the last one that comes in breaks all the communication to the server.
Output from tcpdump on mirrored switchport:
18:02:01.388595 00:00:00:e5:64:32 > 00:00:00:67:1d:ea, ethertype ARP (0x0806), length 60: Request who-has 10.150.39.5 (00:00:00:67:1d:ea) tell 10.150.39.116, length 46
18:02:01.388600 00:00:00:67:1d:ea > 00:00:00:e5:64:32, ethertype ARP (0x0806), length 60: Reply 10.150.39.5 is-at 00:00:00:67:1d:ea, length 46
18:02:01.388743 00:00:00:67:1d:ec > 00:00:00:e5:64:32, ethertype ARP (0x0806), length 60: Reply 10.150.39.5 is-at 00:00:00:67:1d:ec, length 46
The most interesting thing is when I make the capture on servers NIC - I see only the first two packets (normal ARP req and ARP resp). So I've made a network SPAN (mirrored all the traffic from the switch interface where server is attached to other machine), on that mirrored port I see the packets I've pasted earlier.
I'm 100% sure that it is not MiTM attack, as it is one physical server attached to the interface and after I've implemented port-security on that port (allowed only correct MAC to come in) the issue is gone. So basically I do not have the issue anymore, but I'm very keen to find what's the reason for that.
Following are the couple of the outputs that might come in handy for you guys trying to help me:
[root#server ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:00:00:67:1d:ea brd ff:ff:ff:ff:ff:ff
inet 10.150.39.5/24 brd 10.150.39.255 scope global enp0s25
valid_lft forever preferred_lft forever
inet6 fe80::219:d1ff:fe67:1dea/64 scope link
valid_lft forever preferred_lft forever
3: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:00:00:e3:ca:82 brd ff:ff:ff:ff:ff:ff
4: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:00:00:e3:ca:83 brd ff:ff:ff:ff:ff:ff
[root#server ~]# tail -vn +1 /etc/sysconfig/network-scripts/ifcfg-*
==> /etc/sysconfig/network-scripts/ifcfg-enp0s25 <==
TYPE="Ethernet"
BOOTPROTO="static"
UUID="a04fb9bd-0543-4ba6-bd17-72cc3d9f54cc"
DEVICE="enp0s25"
ONBOOT="yes"
IPADDR=10.150.39.5
NETMASK=255.255.255.0
GATEWAY=10.150.39.1
==> /etc/sysconfig/network-scripts/ifcfg-enp1s0f0 <==
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=enp1s0f0
UUID=64e7544d-54b9-40cc-83f0-7e10acbcdeaa
DEVICE=enp1s0f0
ONBOOT=no
==> /etc/sysconfig/network-scripts/ifcfg-enp1s0f1 <==
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=enp1s0f1
UUID=c3085e08-1e14-4098-b77a-b512a2c99e75
DEVICE=enp1s0f1
ONBOOT=no
==> /etc/sysconfig/network-scripts/ifcfg-lo <==
DEVICE=lo
IPADDR=127.0.0.1
NETMASK=255.0.0.0
NETWORK=127.0.0.0
# If you're having problems with gated making 127.0.0.0/8 a martian,
# you can change this to something else (255.255.255.255, for example)
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback
The two MAC addresses 00:00:00:67:1d:ea and 00:00:00:67:1d:ec are almost consecutive (I assume you've obfuscated the first three octets as 00:00:00is no valid OUI) - this indicates a multi-port NIC, multiple logical interfaces or such. Check the switch's MAC table for the port the "wrong" MAC originates from.
If you've bonded/teamed multiple interfaces you have to make sure everything's working as intended. The switch ports need to be set up accordingly with single-MAC bonding.
Related
I have a Raspberry PI 4 running Ubuntu 21.10 with a static ip-address on eth0. Despite that, I keep getting a secondary 'dynamic' DHCP address on on it.
netplan
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: no
addresses:
- 192.168.0.10/24
routes:
- to: default
via: 192.168.0.1
nameservers:
search: [lan]
addresses: [192.168.0.12]
ip addr show
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether dc:a6:32:da:df:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/23 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.0.225/23 brd 192.168.1.255 scope global secondary dynamic eth0
valid_lft 68727sec preferred_lft 68727sec
inet6 fe80::dea6:32ff:feda:df55/64 scope link
valid_lft forever preferred_lft forever
Even if I delete that interface, it keeps coming back after a few minutes. I have another PI with the "same" configuration and it doesn't have this problem.
I also have the /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg per instructions.
Have you tried using the word false instead of no on your dhcp4 entry to netplan?
I've recently setup proxmox VE 6.2
I've two network adapters, one is a LAN network and other is a WAN network (USB RNDIS)
I've setup pfSense as a VM, as in the netgate docs I've created two bridges for WAN and LAN with those two physical NICs.
Everything is going fine, pfSense works as expected all lan clients can access the internet flawlessly through the pfSense VM.
But the issue is, proxmox can't make HTTP requests, I know it's weird. It can successfully access the internet, like I can make pings to 1.1.1.1 or any public available IP.
I tried like this
curl -vvv google.com
this is the ouput I got and this is where it's getting stuck, all HTTP connection acts the same way
* Trying 216.58.197.46...
* TCP_NODELAY set
* Expire in 149896 ms for 3 (transfer 0x55772a88ddc0)
* Expire in 200 ms for 4 (transfer 0x55772a88ddc0)
* Connected to google.com (216.58.197.46) port 80 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.64.0
> Accept: */*
And it's stuck there and times out after a while. Can't make apt update either. It seems to get connected but can't receive the response back.
This is the ping response
ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=75.4 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=56 time=74.7 ms
no issues there.
This is one hell of a weird issue, I've never faced before.
ip route list
default via 192.168.0.1 dev vmbr0 onlink
192.168.0.0/24 dev vmbr0 proto kernel scope link src 192.168.0.114
192.168.1.0/24 dev vmbr2 proto kernel scope link src 192.168.1.102
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp14s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000
link/ether 3c:07:71:55:54:6e brd ff:ff:ff:ff:ff:ff
3: enx0c5b8f279a64: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether 0c:5b:8f:27:9a:64 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 3c:07:71:55:54:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.0.114/24 brd 192.168.0.255 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::3e07:71ff:fe55:546e/64 scope link
valid_lft forever preferred_lft forever
5: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0c:5b:8f:27:9a:64 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.102/24 brd 192.168.1.255 scope global dynamic vmbr2
valid_lft 84813sec preferred_lft 84813sec
inet6 fe80::e5b:8fff:fe27:9a64/64 scope link
valid_lft forever preferred_lft forever
6: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether 5a:1e:56:2a:0d:fe brd ff:ff:ff:ff:ff:ff
7: tap100i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether a2:fe:d5:1d:43:8f brd ff:ff:ff:ff:ff:ff
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Proxmox IP - 192.168.0.114 (Static configured)
pfSense Gateway IP - 192.168.0.1
WAN (Internal IP) - 192.168.1.101
vmbr0 - LAN bridge
vmbr2 - WAN bridge
you should probably Disable Hardware Checksum Offloading.
this worked for me on a virtualized hardware. (HVM).
see this post:
https://askubuntu.com/questions/597894/can-ping-but-cannot-wget-on-host-with-bridge-interface
I'm using multiple VirtualBox Ubuntu 18.10/19.04 VMs on a Windows 7 host. At one moment on one of them the name resolution stopped working. The connection to the internet is still working.
ax#buildvm:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=40.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=35.5 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=42.4 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=36.2 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 35.456/38.635/42.408/2.906 ms
ax#buildvm:~$ ping google.com
ping: google.com: Temporary failure in name resolution
How to get the name resolution working?
additional info
ax#buildvm:~$ ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:fb:bc:af brd ff:ff:ff:ff:ff:ff
inet 10.0.2.5/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 947sec preferred_lft 947sec
inet6 fe80::a00:27ff:fefb:bcaf/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:27:32:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.106/24 brd 192.168.56.255 scope global dynamic enp0s8
valid_lft 947sec preferred_lft 947sec
inet6 fe80::a00:27ff:fe27:3288/64 scope link
valid_lft forever preferred_lft forever
ax#buildvm:~$ cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0
search fritz.box
This blog article provides the solution:
$ sudo rm /etc/resolv.conf
$ sudo ln -s /var/run/systemd/resolve/resolv.conf /etc/resolv.conf
$ sudo systemctl restart systemd-resolved.service
I have a host machine with Debian 10 & QEMU-KVM. I installed packages and rebooted:
sudo apt install qemu-kvm virt-manager
sudo reboot
So now I want to create a bridge that will enable my virtual servers to (a) connect to network and (b) to be seen to a host machine and other computers on the network.
I read dozen of tutorials on how to do this and failed miserably every time. I had some sucess setting up bridge with (a) package iproute2 and (b) package virt-manager (ran as super user).
Trying as a root:
By folowing archwiki I set up my bridge using these commands:
sudo ip link add virtual_bridge type bridge
sudo ip link set dev virtual_bridge up
I then reset the ethernet card and connect it to the bridge as it's slave:
sudo ip link set dev enx24f5a2f17b27 down
sudo ip addr flush dev enx24f5a2f17b27
sudo ip link set dev enx24f5a2f17b27 up
sudo ip link set dev enx24f5a2f17b27 master virtual_bridge
And then I open the GUI application:
sudo virt-manager
I right click the QEMU/KVM session (qemu:///system) and I choose connect:
When session is connected I start creating a new virtual machine. During it's creation I come to a window asking to choose type of virtual network. There are two options. First one has suboptions while second one enables manual input of the device:
Host device enx24f5a2f17b27: macvtap
Bridge
VEPA
Private
Passthrough
Specify shared device name
I tried choosing suboptions offered by the first option, but when selected they, issue a warning:
In most configurations macvtap does not work for host to guest network communication
This is not an option for me because my virtual servers will need two-way communication. This is why I choose the second option and I manualy specify my bridge virtual_bridge:
Then I start the virtual machine which can browse the internet and also can the host machine. Both are assigned the IP in the same network. But when I try to ping them ping doesn't work in any direction. Host, can't ping virtual machine and vice versa.
I can't explain this, because archwiki states that bridge should be transparent like a switch and devices should therefore be able to ping eachother:
A bridge is a piece of software used to unite two or more network
segments. A bridge behaves like a virtual network switch, working
transparently (the other machines do not need to know or care about
its existence).
If I check internet settings on a host:
ziga#ziga-laptop:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether c4:85:08:3c:1a:59 brd ff:ff:ff:ff:ff:ff
3: enx24f5a2f17b27: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virtual_bridge state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet 192.168.64.100/24 brd 192.168.64.255 scope global enx24f5a2f17b27
valid_lft forever preferred_lft forever
inet6 fe80::26f5:a2ff:fef1:7b27/64 scope link
valid_lft forever preferred_lft forever
32: virtual_bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet6 fe80::26f5:a2ff:fef1:7b27/64 scope link
valid_lft forever preferred_lft forever
34: vnet0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virtual_bridge state UNKNOWN group default qlen 1000
link/ether fe:54:00:c4:3e:62 brd ff:ff:ff:ff:ff:ff
inet 169.254.82.75/16 brd 169.254.255.255 scope global vnet0
valid_lft forever preferred_lft forever
inet6 fe80::2c93:eff:fea5:c52b/64 scope link
valid_lft forever preferred_lft forever
From the above, I can confirm that my ethernet interface enx24f5a2f17b27 and vnet0 (which was automaticaly created by virtual machine) are both slaves to virtual_bridge *(note the keywords master virtual_bridge)*.
If I am honest I was expecting GUI application to also create TAP device as well but it only created vnet0... Is this actually a TAP device?
How can I make connection two-way?
Trying as a normal user (without bridge):
I deleted virtual_bridge and virtual_tap so that everything was back to normal.
ziga#ziga-laptop:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether c4:85:08:3c:1a:59 brd ff:ff:ff:ff:ff:ff
3: enx24f5a2f17b27: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet 192.168.64.100/24 brd 192.168.64.255 scope global enx24f5a2f17b27
valid_lft forever preferred_lft forever
inet6 fe80::26f5:a2ff:fef1:7b27/64 scope link
valid_lft forever preferred_lft forever
I noticed that if I start virt-manager with sudo and use qcow2 image that image will become owned by root and it will become part of group root. This was part of my problem why I avoided using virt-manager as a normal user. So I fixed this and started virt-manager as a normal user.
I created the identical virtual machine but when a network window pops up it had different (!) options:
Userspace networking
Specify shared device name
I was unable to specify my interface enx24f5a2f17b27 manualy with the second option so I chose a userspace networking.
Then I started the virtual machine which can browse the internet and also can the host machine. Both are assigned the IP which is totaly different. When I try to ping them ping doesn't work in any direction. Host, can't ping virtual machine and vice versa.
Trying as a normal user (with bridge)
So now I first set up my my bridge precisely like I did in my first attempt as a sudo user:
sudo ip link add virtual_bridge type bridge
sudo ip link set dev virtual_bridge up
sudo ip link set dev enx24f5a2f17b27 down
sudo ip addr flush dev enx24f5a2f17b27
sudo ip link set dev enx24f5a2f17b27 up
sudo ip link set dev enx24f5a2f17b27 master virtual_bridge
so that I have:
ziga#ziga-laptop:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether c4:85:08:3c:1a:59 brd ff:ff:ff:ff:ff:ff
3: enx24f5a2f17b27: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virtual_bridge state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet 192.168.64.100/24 brd 192.168.64.255 scope global enx24f5a2f17b27
valid_lft forever preferred_lft forever
inet6 fe80::26f5:a2ff:fef1:7b27/64 scope link
valid_lft forever preferred_lft forever
11: virtual_bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 24:f5:a2:f1:7b:27 brd ff:ff:ff:ff:ff:ff
inet6 fe80::805f:cfff:feb6:ec91/64 scope link
valid_lft forever preferred_lft forever
I started the virt-manager as a normal user and created the identical virtual machine. When a network window pops up it has same options than before:
Userspace networking
Specify shared device name
I was unable to specify my bridge virtual_bridge manualy with the second option because Qemu reports an internal eror:
I have my local Machine (10.0.0.2/16) directly connected to the eth4 network interface of my server.
The connection works as expected and I can traceroute the ip of eth4, namely 10.0.0.1.
However, I can also traceroute the ip 10.1.0.23 of the other interface (eth5), even though it is on the wrong subnet!
In the following you see the settings of my local machine and my server.
On my local Machine (Arch Linux)
Output of ip addr:
....
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 3c:97:0e:8a:a1:5a brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/16 brd 10.0.255.255 scope global enp0s25
valid_lft forever preferred_lft forever
inet6 fe80::7a0b:adb3:2eef:a3a8/64 scope link
valid_lft forever preferred_lft forever
....
Traceroutes
% sudo traceroute -I 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 60 byte packets
1 10.0.0.1 (10.0.0.1) 0.184 ms 0.170 ms 0.163 ms
% sudo traceroute -I 10.1.0.23
traceroute to 10.1.0.23 (10.1.0.23), 30 hops max, 60 byte packets
1 10.1.0.23 (10.1.0.23) 0.240 ms 0.169 ms 0.166 ms
On Server (Debian)
My /etc/network/interfaces.
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
#iface eth5 inet dhcp
auto eth5
allow-hotplug eth5
iface eth5 inet static
address 10.1.0.23
netmask 255.255.0.0
gateway 10.1.0.1
## Automatically load eth4 interface at boot
auto eth4
allow-hotplug eth4
# Configure network interface at eth4
iface eth4 inet static
address 10.0.0.1
netmask 255.255.0.0
gateway 10.0.0.1
Output of ip addr:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
...
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:08:a2:0a:e8:86 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/16 brd 10.0.255.255 scope global eth4
valid_lft forever preferred_lft forever
inet6 fe80::208:a2ff:fe0a:e886/64 scope link
valid_lft forever preferred_lft forever
7: eth5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 00:08:a2:0a:e8:87 brd ff:ff:ff:ff:ff:ff
inet 10.1.0.23/16 brd 10.1.255.255 scope global eth5
valid_lft forever preferred_lft forever
Output of ip route:
default via 10.1.0.1 dev eth5
10.0.0.0/16 dev eth4 proto kernel scope link src 10.0.0.1
10.1.0.0/16 dev eth5 proto kernel scope link src 10.1.0.23
Why wouldn't you expect this behavior. As you can see from your Debian server's routing tables, it knows how to route packets to your arch linux machine, so it can respond if it wants to.
I can see two likely questions you might be having:
Why does it choose to respond?
You haven't given us your firewall rules, or told us whether your server has ip_forwarding enabled. Even without IP forwarding enabled, Linux will see a locally received packet for any of its local addresses as an INPUT packet (in terms of iptables and access control decisions), not a forwarded packet. So it will respond even if forwarding is disabled.
If you don't want this behavior you could add an iptables rule to the INPUT chain to drop the packet being received on the server.
Why is there only one hop in the traceroute
You might expect that in order to respond the packet would need to traverse (be forwarded) and so you would get two hops in your traceroute one for eth4 and one for eth5. However, as mentioned above, any locally received ppacket will be treated as input if it matches one of the local IPs. Your arch linux box presumably uses the Debian server as its default route. So, it sends a packet with the Debian server's MAC address, hoping the Debian server will forward it. That makes it a locally received packet at the ethernet level on the Debian serevr. The server then cehcks teh IP address, finds it is local, doesn't care it's for another ethernet and locally receives it at the IP layer.
If you don't want that behavior, fix in firewall rules.