Date: Sat, 9 Jun 2007 16:50:37 +0300 From: Dominik Zalewski <dzalewski@open-craft.com> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD arp proxy Message-ID: <200706091650.37735.dzalewski@open-craft.com> In-Reply-To: <466AAC9D.6090001@infracaninophile.co.uk> References: <200706091556.53631.dzalewski@open-craft.com> <466AAC9D.6090001@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 09 June 2007 04:35:25 pm Matthew Seaman wrote: > Dominik Zalewski wrote: > > Dear All, > > > > I have a problem configuring routing. Here is how my setup looks: > > > > Internet - - - ADSL modem (bridge mode) - - - FreeBSD BOX - - - - - - - > > Switch - - - - - - - Server 1 IPOA: 196.218.x.97 vr1: 196.218.x.98 > > | bge0: 196.218.x.100 > > > > > > > > > > Server 2 eth0: 196.218.x.101 > > > > > > > > > > The idea is to give public IPs to servers behind FreeBSD firewall. I > > don't want to assagin IP addresses to FreeBSD BOX and use binat. I > > want to servers have IP assigned to their interfaces so I can reach > > them directly from internet. > > > > Someone told me that I have to use arp proxy. As I know FreeBSD has > > builtin arp proxy using userland arp utillity. > > > > When I added arp -s 196.218.x.100 mac_address_of_server1 perm pub . I > > still couldn't reach 196.218.x.100 . > > > > Ofcoure I will have to add: no nat on $ext_if from { 10.0.0.3, > > 10.0.0.7 } to any . > > The usual solution to this sort of problem is to divide up your > allocated range of IP numbers into subnets and set up your firewall > to route one or more of those subnets to the machines behind it. > > However, given the numbers you quote I suspect that your network > allocation is 196.218.x.96/29 -- which gives you a network address > (.96), 6 host addresses (.97 -- .102) and a broadcast address (.103) > As you'ld need to sacrifice two more of those addresses to divide the > range into two /30 blocks, and you need three host IPs for your back end > network, so that isn't going to be feasible. > > It might be possible to reduce this idea to its ultimate level and > set up individual host routes to each of the back-end servers on the > FreeBSD firewall: > > route add -host 196.218.x.101 -interface 12.34.56.78 > > where 12.34.56.78 should be replaced by the IP of the interface > plugged into your back-end switch. '12.34.56.78' should be on a > different network than 192.218.x.96/29 -- so just grab something out > of the RFC1918 address space. While you're about it, you will > probably find it helps to give your back-end servers all RFC1918 > addresses with the routable 192.218.x.96/29 addresses as aliases on > the interfaces. > > You'ld need to generate equivalent host routes for each of your back > end hosts, and you'ld need an equivalent host route on the back-end > machines to reach the firewall: > > route add -host 192.168.x.97 12.34.56.78 > > as well as setting 12.34.56.78 as the 'defaultrouter' in /etc/rc.conf. > > Warning: completely untested. Should work in theory, but... > > Cheers, > > Matthew I bridged vr1 and rl1. Everything seems to work fine:) Thanks anyway, Dominik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706091650.37735.dzalewski>