[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Questions Using Proxy ARP for DMZ
 Date:  Sun, 08 Feb 2004 12:43:25 +0100
Michael A. Alderete wrote:

> Exactly. Uh, although I don't see how having a real subnet would change
> configuring m0n0wall...

If you have your own real routed subnet, that also means you get a WAN 
IP address that is *not* inside that subnet. Basically, you can then 
just assign that subnet (of public IP addresses) to your DMZ interface 
(one IP address out of that subnet becomes m0n0wall's DMZ interface IP 
address) and turn off NAT for the DMZ.

> OK, getting confused again. I thought (from the articles referenced, not
> your posts or the m0n0wall interface) that ARP Proxy was designed to allow
> you to use your public IP addresses behind the firewall (m0n0)? At least,
> that seems to be what's being described in these two articles:

Again, once and for all: proxy ARP only causes your ISPs router or 
whatever to send packets to all of your IP addresses to your m0n0wall, 
even though there's no static route on their router that tells it to do 
so (because you haven't got a real subnet). It doesn't say anything 
about what m0n0wall is supposed to do with the packets once it has 
received them.

> The ARP Proxy tells external systems to send packets for proxied systems to
> the firewall (m0n0), which then figures out where to send them internally,
> via some clever routing mechanisms. It sounded really cool, and fairly
> straightforward (though the articles are written about Linux).

Yes. Let's say m0n0wall has received a packet for xxx.yyy.189.2. It 
knows it's not for itself, but then again strictly speaking the 
destination host for that packet would have to be on the WAN interface, 
because that's where the xxx.yyy.189.0/24 subnet is. OK, if your range 
of addresses was bigger, you could assign some subnet that fits in your 
range to the DMZ interface and live without 1:1 NAT or bridging (this 
works because BSD always uses the most specific route if there are 
multiple possibilities). That would be ugly though, and in your case the 
range is too small anyway.

So how do you get m0n0wall to send those packets to your DMZ interface 
anyway? The answer is with 1:1 NAT!

> I would bet I am completely misunderstanding the purpose of ARP Proxy on
> m0n0wall.

It's only there to replace the automatic IP aliasing on WAN that we used 
to have before pb27.

> Using NAT for my DMZ seems like it triples the amount of configuration
> required (NAT entries + firewall entries + DNS forwarder overrides for LAN
> clients), compared to bridging or the ARP Proxy configurations described in
> the articles above, so I'm really trying to avoid it...

You can't, unless you get a real routed subnet or use the filtering 
bridge, which unfortunately has other problems.
That's just the way IP routing works.

- Manuel