Date: Wed, 29 Apr 1998 13:20:04 -0500 From: Jonathan Lemon <jlemon@americantv.com> To: Allen Smith <easmith@beatrice.rutgers.edu> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Proxy ARP for transparent firewalling: arp -s pub vs choparp Message-ID: <19980429132003.21663@right.PCS> In-Reply-To: <9804291312.ZM27991@beatrice.rutgers.edu>; from Allen Smith on Apr 04, 1998 at 01:12:15PM -0400 References: <9804291312.ZM27991@beatrice.rutgers.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 04, 1998 at 01:12:15PM -0400, Allen Smith wrote:
> In this, in order to get the Network Services controlled router to
> direct packets that are for our machines to the firewall's exterior
> interface, it'll need to be sending our ARP packets that will tell the
> router (and the other machines on the local network) that its Ethernet
> interface is the one for all our machines' IP addresses. The firewall
> (a FreeBSD-stable machine that we're in the process of getting in from
> Atipa) will have ip_filter set up on it, which will use its fastroute
> capability to route packets to its interior interface if they're for
> our machines. Our machines will be set up with the firewall's interior
> interface (probably a private IP address, if I can get the routing set
> up properly for those - SGI's route implementation seems to be buggy
> in this regard, although that may be conflicts with routed) as their
> default gateway.
I have a similar situation, so I should describe what I have setup.
[network]---[ firewall ]--------------------[machineN]
de0 de1 ip: y.y.y.y
ip: x.x.x.x ip: x.x.x.x
ether: a:a:a:a:a:a ether: b:b:b:b:b:b
Change the /etc/rc.conf on the firewall to:
1. configure the firewall interfaces identically:
ifconfig_de0="inet x.x.x.x netmask 0xffff0000"
ifconfig_de1="inet x.x.x.x netmask 0xffff0000"
2. install direct interface routes for each machine behind
the firewall:
static_routes="machine1"
route_machine1="y.y.y.y -link de1:b:b:b:b:b:b -iface"
3. turn on proxyall (this will pass all arp requests back and
forth between the two interfaces)
arpproxy_all="YES"
4. add permanent ARP entries for each machine behind the firewall:
(place this in something like /etc/rc.conf.local)
arp -s machine1 auto pub
Now, when:
- the firewall gets an ARP request for any of machineN, it will
answer with it's own MAC entry.
- the firewall gets an IP packet for machineN, it will use the
interface route to send the packet to the internal network.
- machineN sends an ARP reply, the firewall will use this
for sending to machineN, instead of the `published' MAC entry.
- machineN sends an ARP request, the firewall will forward the
request/reply between the two interfaces.
This may not be the best way to do this, but it works for me. :-)
--
Jonathan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980429132003.21663>