From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 10:27:38 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B8211065702 for ; Tue, 23 Aug 2011 10:27:38 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3EECC8FC12 for ; Tue, 23 Aug 2011 10:27:38 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id p7NARbLF082235 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 23 Aug 2011 10:27:37 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com p7NARbLF082235 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1314095257; x=1314700057; bh=HOsC4cbixfYqisgOIhjLbGz05sBbOomKXpmTy+ep/2A=; h=Date:From:To:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=ixcJt5YgEhLaAVtIXmwTHzavnBpL2h1N5ruyFYS4yiF/Fs2lrqj+KRRH/bduCjJb5 lHhjpytyBKwc94HmBMU3LUp6MhbfUx1+2vWtS2/QnTsByAeIWxOxePVqnQkWlJ9n5a YmuY/HUfBbpSCmIb6XqxekwTqrZzSZzkmU5EgI1w= Date: Tue, 23 Aug 2011 10:27:37 +0000 (UTC) From: Janne Snabb To: freebsd-pf@freebsd.org In-Reply-To: <4E5369DA.1030303@gmail.com> Message-ID: References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> <4E5369DA.1030303@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (tiktik.epipe.com [IPv6:2001:1828:0:3::2]); Tue, 23 Aug 2011 10:27:37 +0000 (UTC) Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 10:27:38 -0000 On Tue, 23 Aug 2011, Bartek W. aka Mastier wrote: > I completely don't see the point of using arp-proxy at all. > Can you enlight me? I do not know about the particular needs of the OP. I have not been paying attention. Sorry if I misunderstood something. But in real world: - The upstream router is often managed by the ISP and there might be no way to put a static route towards the firewall in that router. - The available external IP block may be too small to allow subnetting it to "outside of the firewall" and "inside of the firewall" networks. This is becoming more and more of an issue as the IPv4 address space has already run out but people have not migrated to IPv6. - The IP addresses might have been previously assigned without thinking that there will be a firewall in future. Then later it is decided that a firewall is needed but it is not possible to renumber the IP addresses of every host (due to lack of budget, skills, documentation, etc). All of the above are very common situations in small to medium businesses. Proxy ARP on the firewall solves all of them easily. You just turn it on and everything works. (Please do not misunderstand me: I am not saying that it is an elegant solution. However in many cases it is the only practical solution.) -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/