IP Alias vs Proxy ARP - When to use what & why ?
-
How about checking the comparison table? ;)
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-comparison.html
Also to jump in what you can (only) do with Proxy ARP addresses:
Scenario OpenVPN "bridging". Bridging VPN is ... "meh" as it can end really badly. So no tap for you, tun it is. But: How about I can give OVPN dial-in clients an IP in an existing LAN/VLAN without it being a bridge mode / tap-style interface?
Enter tun-style OVPN RoadWarrior setup with ProxyARP. You just configure your OVPN server as usual but as tunnel network (e.g. what range the clients will get an IP from), you DON'T use a separate network but a CIDR subsection of your LAN.
Example:
LAN: 172.16.16.0/24
Normal Clients: 172.16.16.64-127 (via DHCP)
Static Thingies: 172.16.16.32-63
Network Thingies: 172.16.16.0-31Now we can configure VPN to: 172.16.16.128/26. Server will get .129, clients will get .130-191
BUT: If a dialed in VPN client tries to access static or network thingies in "their own range", things will get ugly, as the devices aren't really on the network and the other devices don't know, they should send their stuff to pfSense as the devices are dialed in via VPN there.
Solution: Create ProxyARP IP entries for .130-.191 (I think you can even create a range and don't have to setup single IPs) so pfSense does ProxyARP for those IPs and answers the ARP requests on the L2 wire with its own MAC/IP and catches all requests for the ARP'ed Clients.
Voila, you have "bridged" your VPN Clients into your normal LAN. What's the win? Phew, depends. A few setups I've seen, special LAN or MGMT sections have a special set of rules or other devices along the line behind/in front of pfSense will are set up to allow access from that specific network, so it would be desirable to have the clients popup in that network. You get the drift.
Often seen for admin-OVPNs that dial into their mgmt network so they only need one single special network that is e.g. configured in upstream/downstream switches or other firewalls/gateways as "admin/mgmt" and allowed access via rules/ACLs. Or have special NAT outbound IP assigned to them. Possibilities are plentiful :)
Cheers
\jens -
Posted this before seeing JeGr's post ... reading ....
Hmm maybe i see a use now.
Proxy ARP is kind of a interface less VIP pass through :
Combined with nat it would be a : "nat inside outside"Then it ought to use fewer cycles too, i suppose.
/Bingo
-
Besides having a (V)IP, that isn't really located on the device but further down/up the wire, I haven't seen much use in nowadays setups with ProxyARP IPs but that case is a really nice touch for many setups that formerly used some other "darkmagic"(tm) Software that bridged VPN into their network or that like to use special inbound/outbound ACLs for a specific IP group/network. :)
-
@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:
How about checking the comparison table? ;)
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-comparison.html
Also to jump in what you can (only) do with Proxy ARP addresses:
..
..
..Cheers
\jensYddrff that was "Sneaky"
Where did KISS goExcellent example , and "I would never have thought of ....."
But nice to know (bookmarked)
Thanx Jens
/Bingo
Who was not "Sneaky" , and had to permit my Lan adm AND OVPN RoadWarrior adm network's on all the remote sites (for TFW mgmt access) -
For what it's worth: IMHO best way is to do it with separate subnets and clean routing, so perhaps you weren't sneaky but did a clean setup as it should be :D
-
@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:
For what it's worth: IMHO best way is to do it with separate subnets and clean routing, so perhaps you weren't sneaky but did a clean setup as it should be :D
Agreed
But if you have no control over the "remote box" (CPE) , and want to be able to access it from a new dial-in scope.
The sneaky is nice to have in the "darkmagic"(tm) (love that word) toolbox/Bingo
-
@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:
The sneaky is nice to have in the "darkmagic"(tm) (love that word) toolbox
Absolutely. Those nice little hacks you can/could do are the bread&butter of your toolset and what makes my customers and clients happy ;)
Did I mention there's also such a hidden gem in outbound NATting in relation with properly routed public subnets?
-
@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:
Did I mention there's also such a hidden gem in outbound NATting in relation with properly routed public subnets?
More...More...
/Bingo
-
Just a quicky:
- You have a public WAN IP
- You have another subnet routed to said WAN IP (let's say a /30 as the ISPs are greedy as f*** these days)
- So you get 2 additional usable IPs out of that. It's a /30 right?
Nope ;) You can use those 2 IPs for services/servers down the wire, for sure. Even create that nice little /30 on another interface and setup a server to have a real public IP. Or you could BiNAT both IPs to 2 servers. Right.
But you can also "exploit", that your ISP is routing that /30 to you. Completely. To do what you want. So how about setting up the network or the broadcast IP as an "IP Alias" type IP on your pfSense and use it as NAT outgoing IP for your VLAN1 network? And the other one for your VLAN2 network? That leaves your pfSense WAN IP AND those other 2 real IPs from the /30 to your handling as you please without using/burning one of them with outgoing traffic from your NAT.
Just a little tidbit. You can use the network/broadcast IP that way ONLY, because outbound NAT etc. aren't actually services, that listen on a specific interface/IP but just "rewrite" IP informations. And as you get that /30 routed to you from the ISP, returning traffic even to the netmask/broadcast IP is normally coming back without a hitch and retranslated to the origin via PFs filter engine. :) But where it works and where not needs a bit of fiddling or searching around.
Saves up on sparse IPs ;)
-
@JeGr
Hmm .. Didn't ie. Cisco add "drop broadcast" traffic , default to their IF's ?
Must find an ISP that runs JuniperI was lucky ... Have a /27 at work
Edit: BiNAT ??
/Bingo
-
That shouldn't interfere with a routed subnet as that is "customers property" normally. I'd be pissed if they filtered traffic of my IP space before it gets to me :)
Edit: BiNAT ??
1:1 NAT is also called BiNAT (as it's mapping in- and outbound).
-
@JeGr
Ahh so the new /30 is not given as a "Link-net" , just a "range"
Nice "abuse"Soon you'll prob. get a /31 as link-net
https://tools.ietf.org/html/rfc3021If i refer to this post .. Doubling your Public IP range
Do you think i could argue that i should have a /26/Bingo
-
@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:
Do you think i could argue that i should have a /26
-
-
Hello, realize this is an older thread but looking to gain insight on the subject as well.
I have a /26 public IP block, and currently use ProxyARP and 1:1 NAT to route traffic to Hyper-V VMs/web servers. I'll be adding subnets using VLANs to further isolate some new VMs. Is there any reason I should be using IP Aliases instead, or is ProxyARP fine for this application?
Thanks for any enlightenment!