Date: Sat, 09 Jun 2007 14:35:25 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: dzalewski@open-craft.com Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD arp proxy Message-ID: <466AAC9D.6090001@infracaninophile.co.uk> In-Reply-To: <200706091556.53631.dzalewski@open-craft.com> References: <200706091556.53631.dzalewski@open-craft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dominik Zalewski wrote: > Dear All, > > I have a problem configuring routing. Here is how my setup looks: > > Internet - - - ADSL modem (bridge mode) - - - FreeBSD BOX - - - - - - - Switch - - - - - - - Server 1 > IPOA: 196.218.x.97 vr1: 196.218.x.98 | bge0: 196.218.x.100 > | > | > | > Server 2 > eth0: 196.218.x.101 > > > > > The idea is to give public IPs to servers behind FreeBSD firewall. I > don't want to assagin IP addresses to FreeBSD BOX and use binat. I > want to servers have IP assigned to their interfaces so I can reach > them directly from internet. > > Someone told me that I have to use arp proxy. As I know FreeBSD has > builtin arp proxy using userland arp utillity. > > When I added arp -s 196.218.x.100 mac_address_of_server1 perm pub . I > still couldn't reach 196.218.x.100 . > > Ofcoure I will have to add: no nat on $ext_if from { 10.0.0.3, > 10.0.0.7 } to any . The usual solution to this sort of problem is to divide up your allocated range of IP numbers into subnets and set up your firewall to route one or more of those subnets to the machines behind it. However, given the numbers you quote I suspect that your network allocation is 196.218.x.96/29 -- which gives you a network address (.96), 6 host addresses (.97 -- .102) and a broadcast address (.103) As you'ld need to sacrifice two more of those addresses to divide the range into two /30 blocks, and you need three host IPs for your back end network, so that isn't going to be feasible. It might be possible to reduce this idea to its ultimate level and set up individual host routes to each of the back-end servers on the FreeBSD firewall: route add -host 196.218.x.101 -interface 12.34.56.78 where 12.34.56.78 should be replaced by the IP of the interface plugged into your back-end switch. '12.34.56.78' should be on a different network than 192.218.x.96/29 -- so just grab something out of the RFC1918 address space. While you're about it, you will probably find it helps to give your back-end servers all RFC1918 addresses with the routable 192.218.x.96/29 addresses as aliases on the interfaces. You'ld need to generate equivalent host routes for each of your back end hosts, and you'ld need an equivalent host route on the back-end machines to reach the firewall: route add -host 192.168.x.97 12.34.56.78 as well as setting 12.34.56.78 as the 'defaultrouter' in /etc/rc.conf. Warning: completely untested. Should work in theory, but... Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGaqyd8Mjk52CukIwRCEpeAJ47a6oAGRcm49i05/MBVM73vSrVgACfXB+1 C0HnSuhr5lVG4eb7AmaT6/g= =3LJ0 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?466AAC9D.6090001>