[ previous ] [ next ] [ threads ]
 From:  Josh Simoneau <josh at chefjosh dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  proxy arp configuration
 Date:  Thu, 01 Apr 2004 23:24:26 -0500
My firewall is currently a linux box running shorewall, with WAN, LAN, and 
DMZ ports. I have a handful of IP's, but being that my network is not 
routed, I am using proxy arp. Everything is running great.

Firewall IP: xxx.xxx.48.146
Firewall GW: xxx.xxx.48.145

Server IP's: xxx.xxx.48.147-152
Server GW's: All use xxx.xxx.48.145 (same as firewall)

As you can see, each one of my servers is using a public IP and my ISP's 
gateway. As far as they are concerned, they're connected right to my ISP, 
not behind a firewall. Thats the beauty of proxy arp.

I have been experimenting with m0n0wall, and have been very happy with it 
so far. Tonite I spent some time moving our firewall to m0n0wall, but the 
proxy arp part is giving me problems. I am using the same system for both 
the linux firewall and m0n0wall, so all the MAC's tied to the arp requests 
should be the same.

I've read a few posts about proxy arp on m0n0wall, where Manuel refers to 
proxy arp being what allows m0n0wall to answer arp requests for all the 
IP's, and then it has to decide what to do with the traffic. He mentions 
the solution being 1:1 NAT, but I don't quite understand why NAT is 
required or how exactly it should be configured.

I have created individual proxy arp entries for each of the servers, with a 
/32. What's left to configure? If I do need to NAT, can I get an example 
entry, because I am not understanding the need for NAT or how I would go 
about doing this. I just need to know how to tell m0n0wall where to send 
these packets. Shorewall has a "IP ADDRESS PROXYARPED - SOURCE INTERFACE - 
DESTINATION INTERFACE" configuration that I am used to, which tells it 
where to pass the packets off to.