IP Alias vs Proxy ARP - When to use what & why ?

bingo600

Posted this before seeing JeGr's post ... reading ....

Hmm maybe i see a use now.

Proxy ARP is kind of a interface less VIP pass through :
Combined with nat it would be a : "nat inside outside"

Then it ought to use fewer cycles too, i suppose.

/Bingo

JeGr

Besides having a (V)IP, that isn't really located on the device but further down/up the wire, I haven't seen much use in nowadays setups with ProxyARP IPs but that case is a really nice touch for many setups that formerly used some other "darkmagic"(tm) Software that bridged VPN into their network or that like to use special inbound/outbound ACLs for a specific IP group/network. :)

bingo600

@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:

How about checking the comparison table? ;)

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-comparison.html

Also to jump in what you can (only) do with Proxy ARP addresses:

..
..
..

Cheers
\jens

Yddrff that was "Sneaky"
Where did KISS go

Excellent example , and "I would never have thought of ....."

But nice to know (bookmarked)

Thanx Jens

/Bingo
Who was not "Sneaky" , and had to permit my Lan adm AND OVPN RoadWarrior adm network's on all the remote sites (for TFW mgmt access)

JeGr

For what it's worth: IMHO best way is to do it with separate subnets and clean routing, so perhaps you weren't sneaky but did a clean setup as it should be :D

bingo600

@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:

For what it's worth: IMHO best way is to do it with separate subnets and clean routing, so perhaps you weren't sneaky but did a clean setup as it should be :D

Agreed

But if you have no control over the "remote box" (CPE) , and want to be able to access it from a new dial-in scope.
The sneaky is nice to have in the "darkmagic"(tm) (love that word) toolbox

/Bingo

JeGr

@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:

The sneaky is nice to have in the "darkmagic"(tm) (love that word) toolbox

Absolutely. Those nice little hacks you can/could do are the bread&butter of your toolset and what makes my customers and clients happy ;)

Did I mention there's also such a hidden gem in outbound NATting in relation with properly routed public subnets?

bingo600

@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:

Did I mention there's also such a hidden gem in outbound NATting in relation with properly routed public subnets?

More...More...

/Bingo

JeGr

Just a quicky:

• You have a public WAN IP
• You have another subnet routed to said WAN IP (let's say a /30 as the ISPs are greedy as f*** these days)
• So you get 2 additional usable IPs out of that. It's a /30 right?

Nope ;) You can use those 2 IPs for services/servers down the wire, for sure. Even create that nice little /30 on another interface and setup a server to have a real public IP. Or you could BiNAT both IPs to 2 servers. Right.

But you can also "exploit", that your ISP is routing that /30 to you. Completely. To do what you want. So how about setting up the network or the broadcast IP as an "IP Alias" type IP on your pfSense and use it as NAT outgoing IP for your VLAN1 network? And the other one for your VLAN2 network? That leaves your pfSense WAN IP AND those other 2 real IPs from the /30 to your handling as you please without using/burning one of them with outgoing traffic from your NAT.

Just a little tidbit. You can use the network/broadcast IP that way ONLY, because outbound NAT etc. aren't actually services, that listen on a specific interface/IP but just "rewrite" IP informations. And as you get that /30 routed to you from the ISP, returning traffic even to the netmask/broadcast IP is normally coming back without a hitch and retranslated to the origin via PFs filter engine. :) But where it works and where not needs a bit of fiddling or searching around.

Saves up on sparse IPs ;)

bingo600

@JeGr
Hmm .. Didn't ie. Cisco add "drop broadcast" traffic , default to their IF's ?
Must find an ISP that runs Juniper

I was lucky ... Have a /27 at work

Edit: BiNAT ??

/Bingo

JeGr

That shouldn't interfere with a routed subnet as that is "customers property" normally. I'd be pissed if they filtered traffic of my IP space before it gets to me :)

Edit: BiNAT ??

1:1 NAT is also called BiNAT (as it's mapping in- and outbound).

bingo600

@JeGr
Ahh so the new /30 is not given as a "Link-net" , just a "range"
Nice "abuse"

Soon you'll prob. get a /31 as link-net
https://tools.ietf.org/html/rfc3021

If i refer to this post .. Doubling your Public IP range
Do you think i could argue that i should have a /26

/Bingo

JeGr

@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:

Do you think i could argue that i should have a /26

bingo600

@JeGr & @JKnott
Thank you for taking your time to enlighten me.
I just love to get more tools in my "darkmagic"(tm) toolbox

Thanx guyzz

/Bingo

wesleywillis

Hello, realize this is an older thread but looking to gain insight on the subject as well.

I have a /26 public IP block, and currently use ProxyARP and 1:1 NAT to route traffic to Hyper-V VMs/web servers. I'll be adding subnets using VLANs to further isolate some new VMs. Is there any reason I should be using IP Aliases instead, or is ProxyARP fine for this application?

Thanks for any enlightenment!