[ previous ] [ next ] [ threads ]
 From:  "M. G. (Michael) de Bruin" <mg dot debruin at buum dot nl>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Automating Proxy ARP
 Date:  Wed, 27 Apr 2005 19:31:28 +0200
Chris Buechler wrote:
> On 4/27/05, Peter Allgeyer <allgeyer at web dot de> wrote:
>>another feature request/design question.
>>Since there are a lot of questions on the m0n0 mailing list about proxy
>>arp, I'm wondering, if it is usuable to make proxy arp automatically,
>>when you are choosing "1:1 NAT"? I'm thinking of a solution like the one
>>on the inbound NAT page, there I can set a marker to Auto-add a firewall
>>rule to permit traffic through this NAT rule.
> An "auto add proxy ARP" checkbox would be nice.  Proxy ARP isn't
> always necessary though, so you wouldn't want to turn it on
> regardless.  I don't know that it'd cause any problems turning it on
> if it isn't needed.
> I would like to know under what circumstances it is and isn't needed. 
> Seems that while everything says it typically isn't needed, it is
> needed on broadcast networks which seem to be the majority of internet
> connections.  So I'm curious where the "it typically isn't needed"
> came from.
> -Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch

Proxy arp is typically needed on networks where the IP is not routed to 
your firewall yet, either from your ISP or from your own router. Since 
most companies let their /24 (or less :)) route to a router and not to 
the firewall behind it, the packet would not arrive at it's destination 
unless you would either make a static route entry per ip (or of course 
for the entire net), OR create a proxy arp.

So, basically, nothing can be said about this without knowing the 
networp setup.


smime.p7s (4.5 KB, application/x-pkcs7-signature)