Proxyarp config help

mastermindpro · Jul 26, 2006, 1:43 AM

I'm thinking you don't fully understand.

I have multiple hosts on the physical network that is connected to the DMZ interface. Some are in the same subnet as the DMZ interface address, but the rest are in the same subnet(s) as the WAN interface. The firewall is currently proxying ARP requests from one physical network to the other for the hosts I've defined…quite gracefully at that. Perhaps pfSense can't even do this?

It seems like basic functionality for a firewall to me...even more basic than a bridging firewall would be.

hoba · Jul 26, 2006, 1:52 AM

I don't think that setup will work with pfSense. You either can bridge interfaces or use NAT. VIPs are only thought to be additional IPs at an interface which then can be used to NAT them somewhere else (besides of CARP, which can be used for services running on the firewall directly or be natted). Maybe you can make your setup simply less comples. pfSense offers NAT reflection for portforwards (turn on at system>advanced) so you can access your internal clients by it's public IP.

mastermindpro · Jul 26, 2006, 2:26 AM

I guess I'm confused, then. What is the proxyarp mechanism for? ???

Every OS that has any decent TCP/IP layer can have multiple addresses within the same subnet assigned to one physical interface. I thought the whole point of proxyarp was to respond on interface A as though you were the system on interface B…hence proxying an ARP request from a device on A to the device on B and vice versa.

Maybe proxyarp in the Linux world means something totally different :o

hoba · Jul 26, 2006, 2:31 AM

The way I described it is how pfSense makes use of proxyARP or at least how you can use it from the gui.

mastermindpro · Jul 26, 2006, 2:48 AM

Huh…there doesn't seem to be any proxying at all going on in your example. Is there any more documentation on Proxyarp/Carp somewhere?

hoba · Jul 26, 2006, 3:36 AM

VIPs=Virtual IPs like CARP, ProxyARP, …see my former post:

@hoba:

VIPs are only thought to be additional IPs at an interface which then can be used to NAT them somewhere else (besides of CARP, which can be used for services running on the firewall directly or be natted).

mastermindpro · Jul 26, 2006, 3:46 AM

I understand the concept of VIP…that's just a fancy name for a basic ability.

What I don't understand is the use of the term "proxyarp" (any VIP discussion aside) if all that can be done with it is outlined by your example. Your example consists of absolutely no proxying. :-[

One definition of the word "proxy" is "on behalf of". In your example, the firewall WAN interface is simply answering for multiple ARP requests with it's own or some derived MAC address. It's NOT answering an ARP request "on behalf of" another host that isn't part of the WAN physical network.

Surely other pfSense users have DMZ setups with multiple systems that occupy/respond on public IP's when, in fact, they're not actually physically connected to that subnet? I do this all the time with Linux and Sonicwall boxes. I'm believe the Netscreen products have similar functionality. Heck, I think even ISA has this capability. :-[

hoba · Jul 26, 2006, 3:56 AM

Patches accepted.

mastermindpro · Jul 26, 2006, 5:01 AM

::) That's an easy out. ;)

I would submit a patch if

I knew BSD like I do Linux
I was a developer

Alas, neither is true.

sullrich · Jul 26, 2006, 5:59 PM

@mastermindpro:

::) That's an easy out. ;)

Not at all. We just don't have the resources to instantly code up solutions for every persons needs.

mastermindpro · Jul 26, 2006, 6:48 PM

I realize the limited developer pool. Maybe I should try a different approach:

Should the naming of "proxyarp" in the VIP setup GUI be changed to something else so as to avoid confusion with something that might actually proxy arp requests? I mean, if it doesn't do that, it shouldn't be called that.

I suggest "additional" or "standard" or "non-primary" or "non-CARP" as more logical names based on my current understanding of how the function works. I know it's a small thing, but this really tripped me up and has kept me from trying to implement pfSense any further. As other people look to convert from other platforms to pfSense, any bit would help until the documentation is more complete.

sullrich · Jul 26, 2006, 6:50 PM

That name was acquired from m0n0wall. They use the same terminiology and we have kept it the same so that there is no confusion for someone that is coming from m0n0wall.

mastermindpro · Jul 26, 2006, 7:10 PM

Gotcha…I'll go bother them, then. ;D

newk · Aug 3, 2006, 8:18 PM

So because m0n0wall used the wrong terminology, it continues?? Proxy ARP is a very specific capability in network routing - it is supposed to allow a device like a pfSense routing firewall to answer ARP requests on, say, its external interface, for IP addresses that already exist on devices 'behind' it. The device performing Proxy ARP answers ARP requests for a device for which it proxies, then routes traffic destined for that proxied IP to the device that actually bears that IP. It has nothing to do with NAT, nor even bridging.

j

sullrich · Aug 3, 2006, 8:20 PM

Atleast for 1.0, yes.