From owner-freebsd-questions Sat Oct 7 15: 2:20 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3944737B502 for ; Sat, 7 Oct 2000 15:02:18 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 7 Oct 2000 15:01:01 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e97M2EC76427; Sat, 7 Oct 2000 15:02:14 -0700 (PDT) (envelope-from cjc) Date: Sat, 7 Oct 2000 15:02:09 -0700 From: "Crist J . Clark" To: Bernd Luevelsmeyer Cc: questions@FreeBSD.ORG Subject: Re: arp proxy Message-ID: <20001007150209.S25121@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <39DC78C8.A3CF4F56@heitec.net> <20001005205137.L25121@149.211.6.64.reflexcom.com> <39DDDA7F.68AD47A2@heitec.net> <20001006105442.A62974@149.211.6.64.reflexcom.com> <39DF7F6D.48AEE934@heitec.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <39DF7F6D.48AEE934@heitec.net>; from bernd.luevelsmeyer@heitec.net on Sat, Oct 07, 2000 at 09:54:21PM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Oct 07, 2000 at 09:54:21PM +0200, Bernd Luevelsmeyer wrote: > Crist J . Clark wrote: [snip] > > Huh? But if I am not mistaken, all an ARP proxy is going to do is > > reply to ARP requests... And that does not get you far. You'd still > > need to figure out how to get frames over the bridge or packets over a > > router to the machines behind the firewall. > > But isn't that exactly what a gateway does... it receives packages for > its own MAC address but targeted to a remote IP address. It will check > the routing tables and then send the package onwards. So, IMHO if you've > got a gateway then you just need to direct all the packages to it so it > can distribute them, and that's what the ARP proxy is good for. Right, but I thgought your problem was with the subnetting and routing, so just getting the frames to the machine does not entirely solve the problem. > Hence I thought, fine, make the gateway answer all ARPs for inside > addresses from the outside, and the gateway part will be handled by the > normal gateway functionality. > Didn't work, however. The ARPs were answered as expected, and the > packages were sent to the gateway. The gateway however didn't send them > on, apparently it dropped them. My theory is that the gateway part > somehow was confused because, from the fumbled ARP table, it assumed > that all the subnet's addresses were local to the gateway machine > itself, so sending them out was considered unnecessary. How is your routing done to handle this correctly? > > I don't have your full email easily accessible, so I may again be > > suggesting something you have already tried or thought of, but is > > there a reason not to use NAT and redirect your addresses to machines > > behind the firewall? (I would venture to guess that if you start > > playing with ARP proxies you would end up building your own NAT system, > > but it will be more work and a kludge compared to just using > > natd(8).) > > This was not covered in my original mail, but a NAT wouldn't be > appropriate in this situation. The subnet's machines are mail servers, > HTTP proxies and so on. It's much easier if they have publically > routable addresses of their own; a NAT would give them all the same > address. Not necessarily. See 'redirect_address' in natd(8). You can use all of your addresses. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message