ProxyARP Outbound Proxy Pool Application Question

Wentil 0

I am trying to set up a CIDR /26 IPv4 Address Block using ProxyARP to serve as an Outbound Proxy Pool for connections from inside a network, for traffic leaving the pfSense Router.

.1 is the Gateway of this /26, and so x.x.x.2 through x.x.x.62 would be the usable address range.

What I want to do is to have a non-routable pool of machines behind the pfSense Router that will be using locally-routable Static IPs (a 10.10.x.0/24 network).

Each of the machines on the internal (10.10.x.0/26) network would use the pfSense's internal (10.10.x.1) IP Address as its Gateway.

The pfSense Router would then use the ProxyARP pool to send outbound requests randomly via one of the 60 usable IP Addresses in the /26 pool, through the /26's .1 Gateway.

[Internet]
|
[/26 GW .1]
|
| > Originating Proxy Pool /26 Addresses
[pfSense]
| > Internal Network /24 Gateway (10.10.x.1)
|
[Local Machine 10.10.x.x]

Thus, the pfSense Router will select random IPs from the ProxyARP subnet for outgoing traffic, and so repeated requests (from the same machine on the internal 10.10.x.0/24 network) should show different originating public IPs (randomly chosen from the ProxyARP Pool) as their originating public address.

I've been poking at this for quite a while but have not been able to get it working in the above manner.

Is there a guide or any kind of HOW-TO available that would help me pull this together?

I've been looking but I haven't found anything useful yet.

viragomann

@Wentil-0
That should be straight forward. What did you do already? What are the difficulties?

You have to add each unique IP of the public range as a virtual to the WAN first.

Create an alias for the IP range to use.
This can be stated then in the outbound NAT rule for translation in conjunction with random or round robin.

Wentil 0

@viragomann So, ProxyARP isn't needed? Just make individual Virtual IPs for each of the addresses to be used, and then specify that subnet in the Outbound NAT?

viragomann

@Wentil-0 said in ProxyARP Outbound Proxy Pool Application Question:

So, ProxyARP isn't needed?

Sure it is needed. But this is for a single IP only.
If you want to use the whole subnet on pfSense, you have to assign all IPs out of it to the interface, except network, gateway and broadcast. Otherwise the IPs would not be found in the WAN subnet.

For a bigger subnet, best practice is to have an interface IP out of it and route the subnet to this IP. In this case you would not need virtual IPs on the interface.

and then specify that subnet in the Outbound NAT?

As I said, create an alias for the exact range you want to use. You cannot use the whole subnet,, since this would include the gateway and broadcast addresses.

Wentil 0

@viragomann Thanks, I got it working. To clarify it for anyone who may find this in the coming years by Google and be in need of a HOW-TO, the process consists of three steps:

1. Create a ProxyARP pool that covers the intended External IP subnet
2. Add IP Aliases for each of the External IPs from that subnet you want in the outbound pool
3. Add an Outbound NAT with the ProxyARP as its outgoing network