Michael A. Alderete wrote:
> Exactly. Uh, although I don't see how having a real subnet would change
> configuring m0n0wall...
If you have your own real routed subnet, that also means you get a WAN
IP address that is *not* inside that subnet. Basically, you can then
just assign that subnet (of public IP addresses) to your DMZ interface
(one IP address out of that subnet becomes m0n0wall's DMZ interface IP
address) and turn off NAT for the DMZ.
> OK, getting confused again. I thought (from the articles referenced, not
> your posts or the m0n0wall interface) that ARP Proxy was designed to allow
> you to use your public IP addresses behind the firewall (m0n0)? At least,
> that seems to be what's being described in these two articles:
Again, once and for all: proxy ARP only causes your ISPs router or
whatever to send packets to all of your IP addresses to your m0n0wall,
even though there's no static route on their router that tells it to do
so (because you haven't got a real subnet). It doesn't say anything
about what m0n0wall is supposed to do with the packets once it has
> The ARP Proxy tells external systems to send packets for proxied systems to
> the firewall (m0n0), which then figures out where to send them internally,
> via some clever routing mechanisms. It sounded really cool, and fairly
> straightforward (though the articles are written about Linux).
Yes. Let's say m0n0wall has received a packet for xxx.yyy.189.2. It
knows it's not for itself, but then again strictly speaking the
destination host for that packet would have to be on the WAN interface,
because that's where the xxx.yyy.189.0/24 subnet is. OK, if your range
of addresses was bigger, you could assign some subnet that fits in your
range to the DMZ interface and live without 1:1 NAT or bridging (this
works because BSD always uses the most specific route if there are
multiple possibilities). That would be ugly though, and in your case the
range is too small anyway.
So how do you get m0n0wall to send those packets to your DMZ interface
anyway? The answer is with 1:1 NAT!
> I would bet I am completely misunderstanding the purpose of ARP Proxy on
It's only there to replace the automatic IP aliasing on WAN that we used
to have before pb27.
> Using NAT for my DMZ seems like it triples the amount of configuration
> required (NAT entries + firewall entries + DNS forwarder overrides for LAN
> clients), compared to bridging or the ARP Proxy configurations described in
> the articles above, so I'm really trying to avoid it...
You can't, unless you get a real routed subnet or use the filtering
bridge, which unfortunately has other problems.
That's just the way IP routing works.