Date: Sat, 7 Oct 2000 15:02:09 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Bernd Luevelsmeyer <bernd.luevelsmeyer@heitec.net> Cc: questions@FreeBSD.ORG Subject: Re: arp proxy Message-ID: <20001007150209.S25121@149.211.6.64.reflexcom.com> In-Reply-To: <39DF7F6D.48AEE934@heitec.net>; from bernd.luevelsmeyer@heitec.net on Sat, Oct 07, 2000 at 09:54:21PM %2B0200 References: <39DC78C8.A3CF4F56@heitec.net> <20001005205137.L25121@149.211.6.64.reflexcom.com> <39DDDA7F.68AD47A2@heitec.net> <20001006105442.A62974@149.211.6.64.reflexcom.com> <39DF7F6D.48AEE934@heitec.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 07, 2000 at 09:54:21PM +0200, Bernd Luevelsmeyer wrote: > Crist J . Clark wrote: [snip] > > Huh? But if I am not mistaken, all an ARP proxy is going to do is > > reply to ARP requests... And that does not get you far. You'd still > > need to figure out how to get frames over the bridge or packets over a > > router to the machines behind the firewall. > > But isn't that exactly what a gateway does... it receives packages for > its own MAC address but targeted to a remote IP address. It will check > the routing tables and then send the package onwards. So, IMHO if you've > got a gateway then you just need to direct all the packages to it so it > can distribute them, and that's what the ARP proxy is good for. Right, but I thgought your problem was with the subnetting and routing, so just getting the frames to the machine does not entirely solve the problem. > Hence I thought, fine, make the gateway answer all ARPs for inside > addresses from the outside, and the gateway part will be handled by the > normal gateway functionality. > Didn't work, however. The ARPs were answered as expected, and the > packages were sent to the gateway. The gateway however didn't send them > on, apparently it dropped them. My theory is that the gateway part > somehow was confused because, from the fumbled ARP table, it assumed > that all the subnet's addresses were local to the gateway machine > itself, so sending them out was considered unnecessary. How is your routing done to handle this correctly? > > I don't have your full email easily accessible, so I may again be > > suggesting something you have already tried or thought of, but is > > there a reason not to use NAT and redirect your addresses to machines > > behind the firewall? (I would venture to guess that if you start > > playing with ARP proxies you would end up building your own NAT system, > > but it will be more work and a kludge compared to just using > > natd(8).) > > This was not covered in my original mail, but a NAT wouldn't be > appropriate in this situation. The subnet's machines are mail servers, > HTTP proxies and so on. It's much easier if they have publically > routable addresses of their own; a NAT would give them all the same > address. Not necessarily. See 'redirect_address' in natd(8). You can use all of your addresses. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001007150209.S25121>