IP Alias vs Proxy ARP - When to use what & why ?

bingo600

I've been reading here
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html

The Alias (VIP) seems to be the "Cisco" "ip address xxxxxx secondary" lookalike.
And you can access pfSense services (ie. DNS or ...)

When and why would you use a Proxy ARP alias instead ?

TIA
/Bingo

JKnott

@bingo600

My only experience with proxy arp was when I set up a dial up server on Red Hat Linux. My understanding is that a proxy arp returns it's own MAC address for a device located elsewhere, as in the example of the dial in client at the other end of the phone line. An alias is just a different address for the same device.

bingo600

@JKnott said in IP Alias vs Proxy ARP - When to use what & why ?:

@bingo600

My only experience with proxy arp was when I set up a dial up server on Red Hat Linux. My understanding is that a proxy arp returns it's own MAC address for a device located elsewhere, as in the example of the dial in client at the other end of the phone line.

Yep , that is my understanding too.

Maybe Proxy ARP just uses less CPU cycles.
And it is prob more secure as a WAN alias , as no pfSense services will respond or ??

An alias is just a different address for the same device.

But the Alias IP also have to respond to ARP, or no L2 comms.

Maybe some "Guru" will chip in
@johnpoz

/Bingo

JKnott

@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:

Maybe Proxy ARP just uses less CPU cycles.

No, as I mentioned, they're used for entirely different purposes. An alias wouldn't do anything for the device at the other end of the phone line. Years ago, serial connections, whether dial up phone, ISDN, fractional T1 or other were often used to connect computers or networks. They did not use our current understanding of networking over Ethernet and so had to be handled differently. You will see that sort of thing on the Frame Relay section of Cisco training.

Incidentally, did you know you don't even need an IP address for routing? On a point to point link, all you need is the interface ID, as there is only one other device on that link. In fact, if you look at how routing works within a Cisco router, you will see that a route passes through 0.0.0.0 and then through some interface.

bingo600

@JKnott said in IP Alias vs Proxy ARP - When to use what & why ?:

@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:

Maybe Proxy ARP just uses less CPU cycles.

No, as I mentioned, they're used for entirely different purposes. An alias wouldn't do anything for the device at the other end of the phone line. Years ago, serial connections, whether dial up phone, ISDN, fractional T1 or other were often used to connect computers or networks. They did not use our current understanding of networking over Ethernet and so had to be handled differently. You will see that sort of thing on the Frame Relay section of Cisco training.

Something must have slipped my mind
15 years ago i ran a large Cisco FrameRelay network w. 300+ sites (pharmacies)

And a few 3840's w. ISDN PRI - For dialin.

I Can't ever remember i had to do proxy arp ... or ...
I do remember setting SLARP (on the central (hub) box), in order to autoconfigure the remote router, so it could be auto-provisioned , all the way up , from a factory reset (era start / reload).
Actually worked excellent , and the "runners" were super happy that the replacement box "just came up".

Incidentally, did you know you don't even need an IP address for routing? On a point to point link, all you need is the interface ID, as there is only one other device on that link. In fact, if you look at how routing works within a Cisco router, you will see that a route passes through 0.0.0.0 and then through some interface.

Do you mean
https://tools.ietf.org/html/rfc3021

/Bingo

bingo600

After reading this
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-comparison.html

It seems to me that VIP Alias can do everything that VIP Proxy ARP can, and answer to pings and bind to services.

I still does not get 100% why one would use Proxy arp on a pfSense.
Maybe it's the ability to set up a group of VIP's w. one entry.

/Bingo

JKnott

@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:

@JKnott said in IP Alias vs Proxy ARP - When to use what & why ?:

@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:

Maybe Proxy ARP just uses less CPU cycles.

No, as I mentioned, they're used for entirely different purposes. An alias wouldn't do anything for the device at the other end of the phone line. Years ago, serial connections, whether dial up phone, ISDN, fractional T1 or other were often used to connect computers or networks. They did not use our current understanding of networking over Ethernet and so had to be handled differently. You will see that sort of thing on the Frame Relay section of Cisco training.

Something must have slipped my mind
15 years ago i ran a large Cisco FrameRelay network w. 300+ sites (pharmacies)

And a few 3840's w. ISDN PRI - For dialin.

I Can't ever remember i had to do proxy arp ... or ...
I do remember setting SLARP (on the central (hub) box), in order to autoconfigure the remote router, so it could be provisioned , all the way up , from a factory reset (era start / reload).
Actually worked excellent , and the "runners" were super happy that the replacement box "just came up".

I guess I didn't phrase that correctly. We're all accustomed to Ethernet, where an ARP request is sent out, etc., to determine the MAC address of one device, among many, on the LAN. Serial connections don't work that way, so there has to be some means of reaching the remote device. In the dial up server I set up, that was done with proxy arp. Frame relay was just another example of a serial connection, not necessarily one that used proxy arp, though that is also possible. I'd have to dig up my CCNA training material to refresh my memory.

Incidentally, did you know you don't even need an IP address for routing? On a point to point link, all you need is the interface ID, as there is only one other device on that link. In fact, if you look at how routing works within a Cisco router, you will see that a route passes through 0.0.0.0 and then through some interface.

Do you mean
https://tools.ietf.org/html/rfc3021

No, that's for a point to point link with a /31 subnet mask. At one time it was thought a /30 was the longest usable mask and I believe Windows still does that. Linux doesn't. What I was referring to was on routers, 0.0.0.0 is an address that's used a an internal default route and the router would then determine which interface would be used to reach the destination. However, this provides an example for comparison with proxy arp. In this instance, a peer to peer connection is established over some network protocol. It could be a VPN or other tunnel. In the process a virtual interface is created. With a proxy arp, some device says it's the remote device and so frames for that remote device are sent to the local device for handling. In the server I set up, that would be the Linux box. Whenever it saw an arp request for the remote device, it would ack the request, take the packet and send it over the serial link to the remote device. There was no separate virtual interface.

/Bingo

bingo600

@JKnott

I have mostly "bitched" over proxy arp , when it was default on cisco interfaces.
It made PC's wo. having def-gw set, work

Cisco played nice , and "helped" the misconfigured devices.

I do see a use for a proxy arp like function, for ie. "outside" VIP's , if you want to utilize several public ip's.

Or as i had to do last week , when "killing" a M$ AD server that had a kazillion clients (not configurable by me) doing DNS requests to the ip. But i made an Alias VIP on the old ip addy of the AD server.

I just don't get why i would not use an Alias VIP , instead of a Proxy ARP VIP.

/Bingo

JeGr

How about checking the comparison table? ;)

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-comparison.html

Also to jump in what you can (only) do with Proxy ARP addresses:

Scenario OpenVPN "bridging". Bridging VPN is ... "meh" as it can end really badly. So no tap for you, tun it is. But: How about I can give OVPN dial-in clients an IP in an existing LAN/VLAN without it being a bridge mode / tap-style interface?

Enter tun-style OVPN RoadWarrior setup with ProxyARP. You just configure your OVPN server as usual but as tunnel network (e.g. what range the clients will get an IP from), you DON'T use a separate network but a CIDR subsection of your LAN.

Example:

LAN: 172.16.16.0/24
Normal Clients: 172.16.16.64-127 (via DHCP)
Static Thingies: 172.16.16.32-63
Network Thingies: 172.16.16.0-31

Now we can configure VPN to: 172.16.16.128/26. Server will get .129, clients will get .130-191

BUT: If a dialed in VPN client tries to access static or network thingies in "their own range", things will get ugly, as the devices aren't really on the network and the other devices don't know, they should send their stuff to pfSense as the devices are dialed in via VPN there.

Solution: Create ProxyARP IP entries for .130-.191 (I think you can even create a range and don't have to setup single IPs) so pfSense does ProxyARP for those IPs and answers the ARP requests on the L2 wire with its own MAC/IP and catches all requests for the ARP'ed Clients.

Voila, you have "bridged" your VPN Clients into your normal LAN. What's the win? Phew, depends. A few setups I've seen, special LAN or MGMT sections have a special set of rules or other devices along the line behind/in front of pfSense will are set up to allow access from that specific network, so it would be desirable to have the clients popup in that network. You get the drift.

Often seen for admin-OVPNs that dial into their mgmt network so they only need one single special network that is e.g. configured in upstream/downstream switches or other firewalls/gateways as "admin/mgmt" and allowed access via rules/ACLs. Or have special NAT outbound IP assigned to them. Possibilities are plentiful :)

Cheers
\jens

bingo600

Posted this before seeing JeGr's post ... reading ....

Hmm maybe i see a use now.

Proxy ARP is kind of a interface less VIP pass through :
Combined with nat it would be a : "nat inside outside"

Then it ought to use fewer cycles too, i suppose.

/Bingo

JeGr

Besides having a (V)IP, that isn't really located on the device but further down/up the wire, I haven't seen much use in nowadays setups with ProxyARP IPs but that case is a really nice touch for many setups that formerly used some other "darkmagic"(tm) Software that bridged VPN into their network or that like to use special inbound/outbound ACLs for a specific IP group/network. :)

bingo600

@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:

How about checking the comparison table? ;)

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-comparison.html

Also to jump in what you can (only) do with Proxy ARP addresses:

..
..
..

Cheers
\jens

Yddrff that was "Sneaky"
Where did KISS go

Excellent example , and "I would never have thought of ....."

But nice to know (bookmarked)

Thanx Jens

/Bingo
Who was not "Sneaky" , and had to permit my Lan adm AND OVPN RoadWarrior adm network's on all the remote sites (for TFW mgmt access)

JeGr

For what it's worth: IMHO best way is to do it with separate subnets and clean routing, so perhaps you weren't sneaky but did a clean setup as it should be :D

bingo600

@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:

For what it's worth: IMHO best way is to do it with separate subnets and clean routing, so perhaps you weren't sneaky but did a clean setup as it should be :D

Agreed

But if you have no control over the "remote box" (CPE) , and want to be able to access it from a new dial-in scope.
The sneaky is nice to have in the "darkmagic"(tm) (love that word) toolbox

/Bingo

JeGr

@bingo600 said in IP Alias vs Proxy ARP - When to use what & why ?:

The sneaky is nice to have in the "darkmagic"(tm) (love that word) toolbox

Absolutely. Those nice little hacks you can/could do are the bread&butter of your toolset and what makes my customers and clients happy ;)

Did I mention there's also such a hidden gem in outbound NATting in relation with properly routed public subnets?

bingo600

@JeGr said in IP Alias vs Proxy ARP - When to use what & why ?:

Did I mention there's also such a hidden gem in outbound NATting in relation with properly routed public subnets?

More...More...

/Bingo

JeGr

Just a quicky:

• You have a public WAN IP
• You have another subnet routed to said WAN IP (let's say a /30 as the ISPs are greedy as f*** these days)
• So you get 2 additional usable IPs out of that. It's a /30 right?

Nope ;) You can use those 2 IPs for services/servers down the wire, for sure. Even create that nice little /30 on another interface and setup a server to have a real public IP. Or you could BiNAT both IPs to 2 servers. Right.

But you can also "exploit", that your ISP is routing that /30 to you. Completely. To do what you want. So how about setting up the network or the broadcast IP as an "IP Alias" type IP on your pfSense and use it as NAT outgoing IP for your VLAN1 network? And the other one for your VLAN2 network? That leaves your pfSense WAN IP AND those other 2 real IPs from the /30 to your handling as you please without using/burning one of them with outgoing traffic from your NAT.

Just a little tidbit. You can use the network/broadcast IP that way ONLY, because outbound NAT etc. aren't actually services, that listen on a specific interface/IP but just "rewrite" IP informations. And as you get that /30 routed to you from the ISP, returning traffic even to the netmask/broadcast IP is normally coming back without a hitch and retranslated to the origin via PFs filter engine. :) But where it works and where not needs a bit of fiddling or searching around.

Saves up on sparse IPs ;)

bingo600

@JeGr
Hmm .. Didn't ie. Cisco add "drop broadcast" traffic , default to their IF's ?
Must find an ISP that runs Juniper

I was lucky ... Have a /27 at work

Edit: BiNAT ??

/Bingo

JeGr

That shouldn't interfere with a routed subnet as that is "customers property" normally. I'd be pissed if they filtered traffic of my IP space before it gets to me :)

Edit: BiNAT ??

1:1 NAT is also called BiNAT (as it's mapping in- and outbound).

bingo600

@JeGr
Ahh so the new /30 is not given as a "Link-net" , just a "range"
Nice "abuse"

Soon you'll prob. get a /31 as link-net
https://tools.ietf.org/html/rfc3021

If i refer to this post .. Doubling your Public IP range
Do you think i could argue that i should have a /26

/Bingo