[ previous ] [ next ] [ threads ]
 From:  Josh Simoneau <josh at chefjosh dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] proxy arp configuration
 Date:  Thu, 01 Apr 2004 23:46:48 -0500
From what I understand, interface bridging prevents LAN users from 
accessing servers in the DMZ. Is this true?

Is proxy arp as done on the m0n0wall different than the proxy arp I've come 
to know and understand through shorewall? Shorewall presents proxy arp as 
technology that allows you to use public IP's behind a firewall in a 
non-routed network. This is exactly how I currently use it. If you didn't 
know the firewall was there, you would look at my servers and assume they 
were connected directly to the Internet. This is what I would like to do 
with m0n0wall. Using the same hardware, I want to swap out my shorewall 
firewall for a m0n0wall firewall without having to re-configure my servers.

At 11:34 PM 4/1/2004, you wrote:
>You don't want proxy arp, you want to use interface bridging. That allows
>m0n0wall to pass traffic transparently between two interfaces. Just make
>sure you turn on the "filtering bridge", otherwise your firewall rules are
>Proxy ARP, as far as I've seen, only applies to Server NAT, where you want
>the WAN interface on the firewall to respond for more than 1 NAT'ed ip
>----- Original Message -----
>From: "Josh Simoneau" <josh at chefjosh dot com>
>To: <m0n0wall at lists dot m0n0 dot ch>
>Sent: Thursday, April 01, 2004 11:24 PM
>Subject: [m0n0wall] proxy arp configuration
> > My firewall is currently a linux box running shorewall, with WAN, LAN, and
> > DMZ ports. I have a handful of IP's, but being that my network is not
> > routed, I am using proxy arp. Everything is running great.
> >
> > Firewall IP: xxx.xxx.48.146
> > Firewall GW: xxx.xxx.48.145
> >
> > Server IP's: xxx.xxx.48.147-152
> > Server GW's: All use xxx.xxx.48.145 (same as firewall)
> >
> > As you can see, each one of my servers is using a public IP and my ISP's
> > gateway. As far as they are concerned, they're connected right to my ISP,
> > not behind a firewall. Thats the beauty of proxy arp.
> >
> > I have been experimenting with m0n0wall, and have been very happy with it
> > so far. Tonite I spent some time moving our firewall to m0n0wall, but the
> > proxy arp part is giving me problems. I am using the same system for both
> > the linux firewall and m0n0wall, so all the MAC's tied to the arp requests
> > should be the same.
> >
> > I've read a few posts about proxy arp on m0n0wall, where Manuel refers to
> > proxy arp being what allows m0n0wall to answer arp requests for all the
> > IP's, and then it has to decide what to do with the traffic. He mentions
> > the solution being 1:1 NAT, but I don't quite understand why NAT is
> > required or how exactly it should be configured.
> >
> > I have created individual proxy arp entries for each of the servers, with
> > /32. What's left to configure? If I do need to NAT, can I get an example
> > entry, because I am not understanding the need for NAT or how I would go
> > about doing this. I just need to know how to tell m0n0wall where to send
> > these packets. Shorewall has a "IP ADDRESS PROXYARPED - SOURCE INTERFACE -
> > DESTINATION INTERFACE" configuration that I am used to, which tells it
> > where to pass the packets off to.
> >
> > Regards,
> > Josh
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >