From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 10:42:16 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5528106564A for ; Tue, 23 Aug 2011 10:42:15 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from lazy.aws-net.org.ua (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]) by mx1.freebsd.org (Postfix) with ESMTP id 66F798FC0A for ; Tue, 23 Aug 2011 10:42:15 +0000 (UTC) Received: from rainbow.vl.net.ua (rainbow.vl.net.ua [IPv6:2a00:1db0:20:1::215]) (authenticated bits=0) by lazy.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id p7NAg8D7009729 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK) for ; Tue, 23 Aug 2011 13:42:14 +0300 (EEST) (envelope-from artem@aws-net.org.ua) Message-ID: <4E538400.7050804@aws-net.org.ua> Date: Tue, 23 Aug 2011 13:42:08 +0300 From: Artyom Viklenko Organization: Art&Co. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.11) Gecko/20101025 Thunderbird/3.1.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> <4E5369DA.1030303@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]); Tue, 23 Aug 2011 13:42:14 +0300 (EEST) Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 10:42:16 -0000 23.08.2011 13:27, Janne Snabb пишет: > On Tue, 23 Aug 2011, Bartek W. aka Mastier wrote: > >> I completely don't see the point of using arp-proxy at all. >> Can you enlight me? > > I do not know about the particular needs of the OP. I have not been > paying attention. Sorry if I misunderstood something. > > But in real world: > > - The upstream router is often managed by the ISP and there might > be no way to put a static route towards the firewall in that router. In any case if you want to use some globally rotuable IPs for whatever purpose on your side, ISP already have to configure route for these IPs toward your (customer) router. Typically, this is exactly static route (which then distributed on ISP's backbone using OSPF or like). If you bild some intranet with nat on some places, there is no changes, but IP space. > - The available external IP block may be too small to allow subnetting > it to "outside of the firewall" and "inside of the firewall" networks. > This is becoming more and more of an issue as the IPv4 address space > has already run out but people have not migrated to IPv6. You can use small IP block on your internal LAN and use some of them on firewall itself not on "outside of the firewall". > - The IP addresses might have been previously assigned without thinking > that there will be a firewall in future. Then later it is decided that a > firewall is needed but it is not possible to renumber the IP addresses > of every host (due to lack of budget, skills, documentation, etc). Bridging firewall can solve this problem. > All of the above are very common situations in small to medium > businesses. Proxy ARP on the firewall solves all of them easily. > You just turn it on and everything works. If your ISP and moreover the world doesn't know how to reach ip v.x.y.z, proxy arp will not help at all. > (Please do not misunderstand me: I am not saying that it is an > elegant solution. However in many cases it is the only practical > solution.) > > -- > Janne Snabb / EPIPE Communications > snabb@epipe.com - http://epipe.com/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem artem@viklenko.net | JID: artem@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org