[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Just Mac to get traffic out the door?
 Date:  Sat, 15 Oct 2005 14:35:26 -0400
On 10/14/05, Bryan Catlin <bryancatlin at connectgroup dot net> wrote:
>  I actually emailed with someone on the freebsd lists today and they said
> they thought it could be done with a proxy arp setting but did not know how
> to do this.
> Does anyone know about proxy arp, or where I could get more info on how to
> set it up?

We have proxy ARP, but that's only one piece of the puzzle.  What we
don't have and what would be required is some sort of intelligence
where it could answer all ARP queries on a given interface.  Then
you'd also have to disable the anti-spoofing rules on that interface
(via backend modifications), and m0n0wall may have to know in some
fashion that the given IP is off of that interface (ipnat may suffice
for that, not sure).

Second problem is DNS, because if they have some arbitrarily assigned
static IP, they're also going to have staticly assigned DNS servers
which may or may not be on the same subnet as their static IP.  If
they are on the same subnet as the static IP, proxy ARP on m0n0wall
could point the DNS servers to itself and respond to those queries. 
But that provides another problem, it would have to respond to those
DNS queries with a source of whatever IP the client is trying to talk
to.  If the DNS servers were on another subnet, all UDP/53 traffic
would have to be intercepted and replied to, again with a "spoofed"
source IP on replies.

Since it sounds like you're interested in looking into it further,
hopefully the above plus the following can lead you in the right
direction on at least finding more info.  m0n0wall's caching DNS is
dnsmasq.  the proxy ARP component is choparp.  NAT is done with ipnat,
part of ipfilter.  There may be alternatives that are more suitable
for this situation, but these may be well suited.  If you look into it
and find out anything, let us know!  This is becoming a more
frequently requested featured, and one that would be nice to combine
with captive portal for public networks if it could be done reliably.