[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Multiple WAN ip addresses
 Date:  Tue, 24 Jun 2003 16:21:13 -0700 (PDT)
On Tue, 24 Jun 2003, Bart Smit wrote:

> So why not do proxy ARP for boxes in the DMZ on the WAN interface (and for
> the WAN router on the DMZ interface)? In that way, routing WAN-DMZ traffic
> is cleaner (without state tables on m0n0wall), and the DMZ boxes will
> still have the right idea about their own IP address. Only difference now
> is a firewall in between (which is exactly what we want).

I like to regard Proxy ARP as a last resort, both because it lies about
the topology, and because overzealous Proxy ARP can cause nasty things to
happen (like routing loops).  A cleaner way to handle this would be to
have the ISP know that the secondary IPs are reachable via the primary,
either via static configuration or via a routing protocol, but they may
not support that.

					Fred Wright