FreeBSD arp proxy

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Jun 9 13:35:42 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dominik Zalewski wrote:
> Dear All,
> 
> I have a problem configuring routing. Here is how my setup looks:
> 
> Internet - - - ADSL modem (bridge mode) - - - FreeBSD BOX - - - - - - - Switch - - - - - - - Server 1
>                   IPOA: 196.218.x.97        vr1: 196.218.x.98            |              bge0: 196.218.x.100
>                                      				           |                                
> 								           |
>               	                                                   |
>                                                                       Server 2
>                                                                 eth0: 196.218.x.101	
> 
> 
> 
> 
> The idea is to give public IPs to servers behind FreeBSD firewall. I
> don't want to assagin IP addresses to FreeBSD BOX and use binat. I
> want to servers have IP assigned to their interfaces so I can reach
> them directly from internet.
> 
> Someone told me that I have to use arp proxy. As I know FreeBSD has
> builtin arp proxy using userland arp utillity.
> 
> When I added arp -s 196.218.x.100 mac_address_of_server1 perm pub . I
> still couldn't reach 196.218.x.100 .
> 
> Ofcoure I will have to add: no nat on $ext_if from { 10.0.0.3,
> 10.0.0.7 } to any .

The usual solution to this sort of problem is to divide up your
allocated range of IP numbers into subnets and set up your firewall
to route one or more of those subnets to the machines behind it.

However, given the numbers you quote I suspect that your network
allocation is 196.218.x.96/29 -- which gives you a network address
(.96), 6 host addresses (.97 -- .102) and a broadcast address (.103)
As you'ld need to sacrifice two more of those addresses to divide the
range into two /30 blocks, and you need three host IPs for your back end
network, so that isn't going to be feasible.

It might be possible to reduce this idea to its ultimate level and
set up individual host routes to each of the back-end servers on the 
FreeBSD firewall:

    route add -host 196.218.x.101 -interface 12.34.56.78

where 12.34.56.78 should be replaced by the IP of the interface
plugged into your back-end switch.  '12.34.56.78' should be on a
different network than 192.218.x.96/29 -- so just grab something out
of the RFC1918 address space.  While you're about it, you will
probably find it helps to give your back-end servers all RFC1918
addresses with the routable 192.218.x.96/29 addresses as aliases on
the interfaces. 

You'ld need to generate equivalent host routes for each of your back
end hosts, and you'ld need an equivalent host route on the back-end
machines to reach the firewall:

    route add -host 192.168.x.97 12.34.56.78

as well as setting 12.34.56.78 as the 'defaultrouter' in /etc/rc.conf.

Warning: completely untested.  Should work in theory, but...

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGaqyd8Mjk52CukIwRCEpeAJ47a6oAGRcm49i05/MBVM73vSrVgACfXB+1
C0HnSuhr5lVG4eb7AmaT6/g=
=3LJ0
-----END PGP SIGNATURE-----


More information about the freebsd-questions mailing list