[ previous ] [ next ] [ threads ]
 
 From:  Rolf Sommerhalder <rolf dot sommerhalder at alumni dot ethz dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  ARP Proxy for Sub-Subnet Extraction
 Date:  Sat, 06 Nov 2004 06:53:14 +0100
Hello list,

"sub-subnet extraction" is one name for a hack where a remote LAN uses a 
subrange of the subnet of the local LAN, as shown in this figure:

10.0.0.0/24 "local" subnet
  |
LAN: 10.0.0.29, ARP proxy for 10.0.0.128/30
m0n0local
WAN: 192.168.9.2
  |
  X crossover Ethernet cable, IPSec VPN
  |
WAN: 192.168.9.3
m0n0remote
LAN: 10.0.0.129
  |
10.0.0.128/30 "remote" extracted sub-subnet (/30)
  |             with 2 usable IP addresses
10.0.0.130 (some host)

This is attractive as in the local subnet no additional routes nor any 
default gateways need to be configured for IP traffic flowing towards 
the remote sub-subnet via the IPSec tunnel (comes in handy if you don't 
have admin access to the network devices in the LAN).

I have this hack working with Astaro v5 boxes, and now try to replace 
them by m0n0walls v1.2b2. However, I observe that the ARP proxy which I 
activated on the m0n0local box apparently does not respond to ARP 
requests for 10.0.0.129 nor 10.0.0.130 on the the 10.0.0.0/24 subnet.

Re-reading the description for the ARP proxy option in m0n0 leaves me 
with the understanding that the ARP proxy might only listen on the WAN 
interface, and not on the LAN interface.

Can anyone please confirm that ARP proxy is indeed listening only on 
WAN, or is it supposed to work on LAN as well?  Thanks.

Regards from Zurich/Switzerland,
Rolf