[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Questions Using Proxy ARP for DMZ
 Date:  Sun, 8 Feb 2004 15:36:32 +0100 
Hello Manuel!

On Sun, Feb 08, 2004 at 02:55:58PM +0100, Manuel Kasper wrote:
> Peter Allgeyer wrote:
> >Not really. Routing is the point. But as NAT seems to be performed before
> 
> I think that's what I was trying to say, but you can't really do it in a 
> clean way with a public IP range of xxx.yyy.189.2 - xxx.yyy.189.4 and 
> without losing any of them, can you? Maybe I'm missing something here.

No, you don't miss anything. But it is routing, not NAT, responsible
for choosing interfaces to put packets out. If you say, that it is NAT,
than it is only 1/2 of the truth.

As stated above, on a transfer net you will loose:
1) network ip
2) broadcast ip
3) firewall ip
4) router ip

No other way (if you don't have a small transfer net or choose to bridge
instead of routing). It's possible to split your /24 net into a small
transfer net (of about /29 or so) and route the rest to your DMZ, but
then you will loose more IP addresses than using NAT and proxy arp.

> Yeah, but m0n0wall was never intended for such advanced stuff, and I 
> really don't want to complicate the webGUI any more. It's become 
> complicated enough because people are trying to use m0n0wall in all 
> kinds of weird setups that even most smaller commercial firewalls would 
> fail to cover.

What is the disadvantage of using m0n0wall in so called "weird setups"?
If there's the possibility to use 1:1 NAT (and it is there), there
has to be the possibility to use proxy arp (and there is). Only point
stated, that there is a restriction not needed. If you really want to
restrict something (or lets say obscure), you can add the proxy arp
entries automatically (without WebGUI), as Cisco PIX does. And by the
way: most of us don't need 1:1 NAT on WAN interface, because of having
only one IP :-( But for professional use, it is strictly needed. Maybe
thinking of buying a commercial firewall (there I don't have the source
code) is the better way? Ok, there's the possibility of using
<shellcmd> anyway, but having it all in one interface would be much
nicer.

Why not moving proxy arp to the NAT table (where it IMHO belongs to)?
This way you can hide the complexity of the GUI from users which don't
need any advanced rules.

Just my opinion ...
			... PIT ...

---------------------------------------------------------------------------
 copyleft(c) by |   _-_     To kick or not to kick...  -- Somewhere on
 Peter Allgeyer | 0(o_o)0   IRC, inspired by Shakespeare
---------------oOO--(_)--OOo-----------------------------------------------