problem with setting nat

Artyom Viklenko artem at aws-net.org.ua
Tue Aug 23 10:42:16 UTC 2011 

23.08.2011 13:27, Janne Snabb пишет:
> On Tue, 23 Aug 2011, Bartek W. aka Mastier wrote:
>
>> I completely don't see the point of using arp-proxy at all.
>> Can you enlight me?
>
> I do not know about the particular needs of the OP. I have not been
> paying attention. Sorry if I misunderstood something.
>
> But in real world:
>
>   - The upstream router is often managed by the ISP and there might
>     be no way to put a static route towards the firewall in that router.

In any case if you want to use some globally rotuable IPs for whatever
purpose on your side, ISP already have to configure route for these IPs
toward your (customer) router. Typically, this is exactly static route
(which then distributed on ISP's backbone using OSPF or like).

If you bild some intranet with nat on some places, there is no changes,
but IP space.

>   - The available external IP block may be too small to allow subnetting
>     it to "outside of the firewall" and "inside of the firewall" networks.
>     This is becoming more and more of an issue as the IPv4 address space
>     has already run out but people have not migrated to IPv6.

You can use small IP block on your internal LAN and use some of them on
firewall itself not on "outside of the firewall".

>   - The IP addresses might have been previously assigned without thinking
>     that there will be a firewall in future. Then later it is decided that a
>     firewall is needed but it is not possible to renumber the IP addresses
>     of every host (due to lack of budget, skills, documentation, etc).

Bridging firewall can solve this problem.

> All of the above are very common situations in small to medium
> businesses. Proxy ARP on the firewall solves all of them easily.
> You just turn it on and everything works.

If your ISP and moreover the world doesn't know how to reach
ip v.x.y.z, proxy arp will not help at all.

> (Please do not misunderstand me: I am not saying that it is an
> elegant solution. However in many cases it is the only practical
> solution.)
>
> --
> Janne Snabb / EPIPE Communications
> snabb at epipe.com - http://epipe.com/
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"


-- 
            Sincerely yours,
                             Artyom Viklenko.
-------------------------------------------------------
artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem
artem at viklenko.net   | JID: artem at jabber.aws-net.org.ua
FreeBSD: The Power to Serve   -  http://www.freebsd.org

More information about the freebsd-pf mailing list