Proxyarp config help

hoba · Jul 26, 2006, 3:36 AM

VIPs=Virtual IPs like CARP, ProxyARP, …see my former post:

VIPs are only thought to be additional IPs at an interface which then can be used to NAT them somewhere else (besides of CARP, which can be used for services running on the firewall directly or be natted).

mastermindpro · Jul 26, 2006, 3:46 AM

I understand the concept of VIP…that's just a fancy name for a basic ability.

What I don't understand is the use of the term "proxyarp" (any VIP discussion aside) if all that can be done with it is outlined by your example. Your example consists of absolutely no proxying. :-[

One definition of the word "proxy" is "on behalf of". In your example, the firewall WAN interface is simply answering for multiple ARP requests with it's own or some derived MAC address. It's NOT answering an ARP request "on behalf of" another host that isn't part of the WAN physical network.

Surely other pfSense users have DMZ setups with multiple systems that occupy/respond on public IP's when, in fact, they're not actually physically connected to that subnet? I do this all the time with Linux and Sonicwall boxes. I'm believe the Netscreen products have similar functionality. Heck, I think even ISA has this capability. :-[

hoba · Jul 26, 2006, 3:56 AM

Patches accepted.

mastermindpro · Jul 26, 2006, 5:01 AM

::) That's an easy out. ;)

I would submit a patch if

I knew BSD like I do Linux
I was a developer

Alas, neither is true.

sullrich · Jul 26, 2006, 5:59 PM

@mastermindpro:

::) That's an easy out. ;)

Not at all. We just don't have the resources to instantly code up solutions for every persons needs.

mastermindpro · Jul 26, 2006, 6:48 PM

I realize the limited developer pool. Maybe I should try a different approach:

Should the naming of "proxyarp" in the VIP setup GUI be changed to something else so as to avoid confusion with something that might actually proxy arp requests? I mean, if it doesn't do that, it shouldn't be called that.

I suggest "additional" or "standard" or "non-primary" or "non-CARP" as more logical names based on my current understanding of how the function works. I know it's a small thing, but this really tripped me up and has kept me from trying to implement pfSense any further. As other people look to convert from other platforms to pfSense, any bit would help until the documentation is more complete.

sullrich · Jul 26, 2006, 6:50 PM

That name was acquired from m0n0wall. They use the same terminiology and we have kept it the same so that there is no confusion for someone that is coming from m0n0wall.

mastermindpro · Jul 26, 2006, 7:10 PM

Gotcha…I'll go bother them, then. ;D

newk · Aug 3, 2006, 8:18 PM

So because m0n0wall used the wrong terminology, it continues?? Proxy ARP is a very specific capability in network routing - it is supposed to allow a device like a pfSense routing firewall to answer ARP requests on, say, its external interface, for IP addresses that already exist on devices 'behind' it. The device performing Proxy ARP answers ARP requests for a device for which it proxies, then routes traffic destined for that proxied IP to the device that actually bears that IP. It has nothing to do with NAT, nor even bridging.

j

sullrich · Aug 3, 2006, 8:20 PM

Atleast for 1.0, yes.