[ previous ] [ next ] [ threads ]
 
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Questions Using Proxy ARP for DMZ
 Date:  Sun, 8 Feb 2004 02:58:36 -0800
>> 2. What are the correct settings to enter into the Proxy ARP panel of the
>> m0n0wall webGUI to set it up for my DMZ configuration?
>>
>>   Network:     ????
>>   CIDR subnet: ????
>
>OK, so you have IPs xxx.yyy.189.2 - xxx.yyy.189.5. The last one is being
>used by m0n0wall itself, so no need to proxy ARP for that.

OK.


>Since what
>you have is not really a subnet (if it was, then you'd probably get it
>routed to you and not need proxy ARP) but a range of IP addresses that
>doesn't lie on a subnet boundary,

Exactly. Uh, although I don't see how having a real subnet would change
configuring m0n0wall...


>I'd just create three proxy ARP
>entries for xxx.yyy.189.2 to xxx.yyy.189.4 (/32 each). What this does is
>making m0n0wall reply to ARP queries for these three IP addresses on the
>WAN interface with its own MAC address, causing packets to these
>addresses to be sent to m0n0wall (which then knows what to do with them).

Aha! That makes perfect sense. This was my (first) big stumbling block,
trying to figure out the subnet mask, etc., when that didn't really fit.
But doing individual ARP entries for each unique IP makes that moot.


>> 3. What are the IP addresses that will be left for use in the DMZ?
>
>Assuming you're going to use 1:1 (or Server) NAT, you use some private
>subnet in your DMZ, like 192.168.2.1/24.

OK, getting confused again. I thought (from the articles referenced, not
your posts or the m0n0wall interface) that ARP Proxy was designed to allow
you to use your public IP addresses behind the firewall (m0n0)? At least,
that seems to be what's being described in these two articles:

<http://www.shorewall.net/ProxyARP.htm>
<http://www.linux.com/howtos/Proxy-ARP-Subnet/how.shtml>

The ARP Proxy tells external systems to send packets for proxied systems to
the firewall (m0n0), which then figures out where to send them internally,
via some clever routing mechanisms. It sounded really cool, and fairly
straightforward (though the articles are written about Linux).

I would bet I am completely misunderstanding the purpose of ARP Proxy on
m0n0wall.


>> 4. What are the subnet and gateway settings to use for the servers in
>>the DMZ?
>
>See above. Gateway = m0n0wall's DMZ interface IP address.

This is true with the 1:1 NAT that you describe, but didn't sound correct
for the ARP Proxy configurations described in the articles.


>> 5. What else do I need to do in the m0n0wall webGUI to allow packets from
>> the Internet to go back and forth to/from a specific server in the DMZ? Do
>> I need to add firewall rules, or NAT settings, or anything else? (For now
>> it's OK if the DMZ systems aren't protected, I'll pester the list with
>> firewall questions once I've moved my servers. ;-)
>
>Add 1:1 NAT rules to map each of your external IP addresses to the
>corresponding (private) DMZ IP address. Add filter rules that pass
>traffic on WAN from any to [private DMZ IP address of your server] on
>the desired port(s). Remember that the filter will see the packets after
>NATing, so you have to use the private IP addresses for the destination
>(on inbound packets).

This makes sense if I'm doing the 1:1 NATing. I have to confess, though, I
can't for the life of me understand what are the differences / different
purposes of the different kinds of NAT. 1:1 is fairly easy to comprehend,
but Inbound, Outbound, and Server, I just don't get. (Searching for "NAT"
turns up way too many hits in the archives to be useful, and the
functionality has evolved quite a bit.)

And once I go down the NAT route, I have an entirely new set of questions
regarding what IP addresses to put on my mail and DNS servers, both for
their host addresses and especially into my bind database files, since some
of the entries need to refer to the servers being NATed.

Using NAT for my DMZ seems like it triples the amount of configuration
required (NAT entries + firewall entries + DNS forwarder overrides for LAN
clients), compared to bridging or the ARP Proxy configurations described in
the articles above, so I'm really trying to avoid it...


>Now if you were going to use filtered bridging, it's another story - in
>that case, you don't need Proxy ARP at all because the ARP replies from
>your DMZ servers would be bridged too (Bruce, is that correct?).

I would love to use the filtered bridge, it seems more straightforward, but
it has the problem of making the DMZ inaccessible to the LAN, which I can't
have.

Thanks for the answers, but I think I'm only halfway to comprehension!

Michael
-- 

_____________________________________________________________
Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>
                                     <http://www.alderete.com>