Earl Cliffson wrote:

> Can someone explain the difference between IP aliasing
> and proxy ARP to me?  Or, put another way, if we
> didn't have proxy ARP before, how did the ISP do its
> routing?

Put simply, the main difference is that m0n0wall no longer thinks that 
the IP addresses which were used in 1:1 and server NAT mappings are 
actually its own. The ARP replies it sends in response to queries for 
these IP addresses are the same in pb27 if proxy ARP is enabled. It 
works both ways as far as 1:1 NAT is concerned, but IP aliasing becomes 
impractical if large subnets have to be aliased (you cannot tell BSD to 
alias a whole range of IP addresses) - with a userland proxy ARP daemon 
(choparp) that's no problem. This is an important prerequisite for 1:1 
NAT with entire subnets in pb27...

> Currently I have a publicly routable subnet of
> aaa.bbb.ccc.88 - 95. 
> .88 is the network address 
> .89 is a gateway address that sits at my ISP.  (it is
> the other end of my dsl line.
> .90 is my m0n0wall WAN IP
> .91 - 94 are 1:1 NATted to private space on my DMZ. 
> The 1:1 NAT causes the automatic IP aliasing, so that
> .91-.94 appear to be on the WAN along with .90.
> 
> It all works great.  How does my ISP know to route
> like this without proxy ARP already in place?  Will I

Up to and including pb26, m0n0wall automatically added IP aliases to the 
WAN interface for 1:1 NAT entries, causing the underlying operating 
system to respond to ARP queries for these addresses (hence telling your 
ISPs router where to send packets for e.g. aaa.bbb.ccc.91) - same 
behavior as with proxy ARP in pb27. Since not all people need/want this 
(you obviously do though), the aliasing has been removed, and proxy ARP 
is now there to do the job for those who need it.

> need to change this in the pb27 version?

Yes. Add separate proxy ARP entries for .91 to .94 (/32 each).

- Manuel