Brief, sloppy description of ARP. Given node A and node B on the same LAN,
connected either to a switch (or hub) or directly via a cross-over
connector. When A needs to communicate with B, it's not enough to know
IPaddr(B); A must have B's MAC address in order to transmit a packet to B.
So, A does an ARP broadcast, which asks "what's the MAC address for
IPaddr(B)?". The important part (for 1:1 NAT) is that the first response
from *any* node is considered valid. BTW, note that this is wide-open for
abuse; if someone can answer before you do, they're perfectly situated for a
Generally, a node will respond for itself. However, in certain cases (such
as 1:1 NAT), B isn't actually on the sam LAN as A, so it won't see the ARP
broadcast. Now, because any node can respond, we have the m0n0wall act as a
proxy for B (so-called "proxy ARP"). So, when A does an ARP broadcast, the
m0n0wall (if configured correctly) will respond with its own MAC address.
This means that A will deliver the packet to the m0n0wall, which will then
perform the appropriate NAT magic.
To configure proxy ARP on the m0n0wall, select "Proxy ARP" under the
"Services" group. For a single address, just add an entry with the
*external* IP (192.168.1.10 <http://192.168.1.10>) for which the m0n0wall
Hope this helps,
On Apr 4, 2005 8:27 AM, Eleazar Martínez <eleazar dot martinez at technosoft dot com>
> >-----Original Message-----
> >From: Claude Morin [mailto:klodefactor at gmail dot com ]
> >Sent: Saturday, April 02, 2005 1:15 PM
> >To: Eleazar Martínez
> >Cc: m0n0wall at lists dot m0n0 dot ch
> >Subject: Re: [m0n0wall] NAT 1:1 problem
> >I don't see anything in your description about proxy ARP; have
> >you enabled
> >it? The firewall has to respond with its own MAC address when
> >the next-hop
> >WAN device tries to communicate with one of your NATed IPs.
> I have not used proxy ARP and actually don't know what it should be used
> for. I'll investigate about it and see if that solves the problem.
> >On Apr 1, 2005 1:11 PM, Eleazar Martínez
> ><eleazar dot martinez at technosoft dot com >
> >> I'm trying to setup my m0n0 box as follows:
> >> LAN: IP 192.168.0.1/24 <http://192.168.0.1/24> <http://192.168.0.1/24 >
> >> WAN: IP 192.168.1.1/24 <http://192.168.1.1/24> <http://192.168.1.1/24 >
> >192.168.1.2 <http://192.168.1.2> <http://192.168.1.2 >
> >> OP1: IP 192.168.2.1/24 <http://192.168.2.1/24> <http://192.168.2.1/24 >
> >> I have a server in OP1 with the IP 192.168.2.10 <http://192.168.2.10>
> ><http://192.168.2.10 > . I
> >> want the server to be
> >> accessible (all ports/protocols) from the WAN side at the public ip
> >> address
> >> 192.168.1.10 <http://192.168.1.10> <http://192.168.1.10 > . I add a NAT
> 1:1 on WAN
> >with external
> >> 192.168.1.10 <http://192.168.1.10> <http://192.168.1.10 > and internal
> >> 192.168.2.10 <http://192.168.2.10> <http://192.168.2.10 > . Rules for
> the firewall
> >on WAN permit
> >> traffic for destination
> >> 192.168.2.10 <http://192.168.2.10> <http://192.168.2.10 > and on the
> OP1 I allow
> >all traffic. My
> >> setup doesn't seem to
> >> work...
> >> Without the addition of the OP1 interface everything works fine.
> >> On the WAN I have disabled the checkbox for "Block private networks".
> >> Do you see any problems with the above setup?
> >> Some extra fun that might be causing problems: from the WAN
> >side there
> >> will
> >> be coming packets from 192.168.0.0/24 <http://192.168.0.0/24>
> ><http://192.168.0.0/24 > (thanks to a
> >> vpn router) directed to
> >> 192.168.1.10 <http://192.168.1.10> <http://192.168.1.10 > . Is this a
> >because the packets
> >> will 'look' like they
> >> come from my LAN (192.168.0.0/24 <http://192.168.0.0/24> <
> http://192.168.0.0/24 > )?
> >Do I have to
> >> tell it somehow to not route
> >> those packets to the LAN but send them using NAT to OP1 (a
> >static route
> >> maybe)? And, lastly, am I just trying to do something that
> >isn't possible
> >> with the packages that m0n0 uses internally?
> >> By the way... I don't need any connection between LAN and
> >OP1 at all so
> >> it's
> >> ok if they cannot see each other.
> >> Thanks in advance.
> >> -Eleazar Martínez