On Tue, 24 Jun 2003, Bart Smit wrote:
> So why not do proxy ARP for boxes in the DMZ on the WAN interface (and for
> the WAN router on the DMZ interface)? In that way, routing WAN-DMZ traffic
> is cleaner (without state tables on m0n0wall), and the DMZ boxes will
> still have the right idea about their own IP address. Only difference now
> is a firewall in between (which is exactly what we want).
I like to regard Proxy ARP as a last resort, both because it lies about
the topology, and because overzealous Proxy ARP can cause nasty things to
happen (like routing loops). A cleaner way to handle this would be to
have the ISP know that the secondary IPs are reachable via the primary,
either via static configuration or via a routing protocol, but they may
not support that.