FreeBSD arp proxy

Dominik Zalewski dzalewski at open-craft.com
Sat Jun 9 13:50:43 UTC 2007 

On Saturday 09 June 2007 04:35:25 pm Matthew Seaman wrote:
> Dominik Zalewski wrote:
> > Dear All,
> >
> > I have a problem configuring routing. Here is how my setup looks:
> >
> > Internet - - - ADSL modem (bridge mode) - - - FreeBSD BOX - - - - - - -
> > Switch - - - - - - - Server 1 IPOA: 196.218.x.97        vr1: 196.218.x.98
> >            |              bge0: 196.218.x.100
> >
> >
> >
> >                                                                      
> > Server 2 eth0: 196.218.x.101
> >
> >
> >
> >
> > The idea is to give public IPs to servers behind FreeBSD firewall. I
> > don't want to assagin IP addresses to FreeBSD BOX and use binat. I
> > want to servers have IP assigned to their interfaces so I can reach
> > them directly from internet.
> >
> > Someone told me that I have to use arp proxy. As I know FreeBSD has
> > builtin arp proxy using userland arp utillity.
> >
> > When I added arp -s 196.218.x.100 mac_address_of_server1 perm pub . I
> > still couldn't reach 196.218.x.100 .
> >
> > Ofcoure I will have to add: no nat on $ext_if from { 10.0.0.3,
> > 10.0.0.7 } to any .
>
> The usual solution to this sort of problem is to divide up your
> allocated range of IP numbers into subnets and set up your firewall
> to route one or more of those subnets to the machines behind it.
>
> However, given the numbers you quote I suspect that your network
> allocation is 196.218.x.96/29 -- which gives you a network address
> (.96), 6 host addresses (.97 -- .102) and a broadcast address (.103)
> As you'ld need to sacrifice two more of those addresses to divide the
> range into two /30 blocks, and you need three host IPs for your back end
> network, so that isn't going to be feasible.
>
> It might be possible to reduce this idea to its ultimate level and
> set up individual host routes to each of the back-end servers on the
> FreeBSD firewall:
>
>     route add -host 196.218.x.101 -interface 12.34.56.78
>
> where 12.34.56.78 should be replaced by the IP of the interface
> plugged into your back-end switch.  '12.34.56.78' should be on a
> different network than 192.218.x.96/29 -- so just grab something out
> of the RFC1918 address space.  While you're about it, you will
> probably find it helps to give your back-end servers all RFC1918
> addresses with the routable 192.218.x.96/29 addresses as aliases on
> the interfaces.
>
> You'ld need to generate equivalent host routes for each of your back
> end hosts, and you'ld need an equivalent host route on the back-end
> machines to reach the firewall:
>
>     route add -host 192.168.x.97 12.34.56.78
>
> as well as setting 12.34.56.78 as the 'defaultrouter' in /etc/rc.conf.
>
> Warning: completely untested.  Should work in theory, but...
>
> 	Cheers,
>
> 	Matthew

I bridged vr1 and rl1. Everything seems to work fine:)

Thanks anyway,

Dominik

More information about the freebsd-questions mailing list