[ previous ] [ next ] [ threads ]
 From:  Bart Smit <bit at pipe dot nl>
 To:  Bart Smit <bit at pipe dot nl>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Proxy ARP in practice
 Date:  Sun, 29 Feb 2004 17:26:02 +0100
To answer my own post:

> I'm contemplating using proxy arp as an alternative for the filtering
> bridge (which has issues with talking to the bridged network from
> within the LAN). Then, I'll be routing packets instead of bridging
> them, and they will still be subject to the filtering rules. Right?

Ok, this is not going to work either. I can tell the WAN side of 
m0n0wall to pretend to "be" (arp-wise) the boxes in the DMZ so any hosts 
in the WAN will direct packets for these boxes to m0n0wall, but I cannot 
make the DMZ interface of m0n0wall do proxy-arp for the default gateway 
in the WAN, so the DMZ boxes can't find their default gateway. This is 
only possible if I bridge the DMZ with the WAN. So, proxy-arp cannot be 
an alternative to bridging in this situation.

Is the fact that the LAN can't talk to the boxes in the DMZ (when the 
DMZ is bridged with the WAN) regarded as a flaw/bug in the FreeBSD 
bridging code and, as such, eligible for fixing? I only know that Bruce 
said that it would be very hard to fix, but I'm now sure what he meant.
Maybe there is a fundamental reason why this isn't even *supposed* to 
work, in which case maybe m0n0wall itself should provide a workaround or