Proxy ARP for dummies



  • Hi !

    i am trying the Proxy ARP feature…. i need some help to understand the communication
    both PCs are in the same subnet, but located in a different. i want to get the website, at green-PC from the red-PC

    setup:
                                                                                ----------
                  red-PC---------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC
          10.10.10.100/24                                            ----------                                                      10.10.10.200/24

    http://10.10.10.200

    i have configured : Firewall > Virtaul IPs >

    Type:          Proxy ARP
    IP Address: 10.10.10.200/24

    the ARP for the http request will be answered by pfsense and the SYN will also be send to Destination IP
    10.10.10.200 with Destination MAC of the red Port on pfsense.
    so far, everything is ok.

    but the pfsense should know how to handle the received SYN.
    So i have to tell the pfsense, please forward the received packet from 10.10.10.100 to the IP 10.10.10.200/MAC_green_PC.
    so some kind of NAT is needed.

    ...please can you give me some hints ?



  • The biggest hint I can give you is that red and green are on the same subnet, so there will be NO routing done. I guess you could source NAT both sides, but really that is not a good idea. Green PC needs an IP in 192.168.2.0/24 network and the gateway of the pfSense machine. then you would create a proxyarp for 10.10.10.200 on the wan (red side) of the firewall. Then you would create either a port forward or a 1:1 NAT and associated rules.



  • Hi,

    i do not want to make bridging ….

    i want to do the following with proxy arp: http://tools.ietf.org/html/rfc1027

    2.1 Basic method (first and second break)

    after reading the rfc1027; is this correct (?):
    Host A (red-PC) and Host B (green-PC) are in the same logical subnet, but in different physical subnet.
    Host A has to connect to Host B. This should be possible by using proxy arp as described in rfc1027.

    maybe i do not understand/misunderstand rfc1027…
    if you know how to configure this, please let me know.
    if you think, this is not possible with pfsense, please let me know also.



  • In your setup for it to work, you must proxy arp the server ip and the client ip on opposite sides of the firewall and NAT in both directions. If this is on the internet hosting a public website, this would not work as you would not always know the clients ip. So the way you want to do it is not feasible, even if it is possible.

    I would setup like this:

    Red:10.10.10.100/24 –--  WAN_pfsense:10.10.10.101/24:|Firewall and NAT|LAN_pfSense:10.10.20.101/24 --- Green:10.10.20.100/24

    Please be sure that the gateway of the Green PC is the LAN ip of the pfSense firewall.
    Create a proxyARP of 10.10.10.102/32 on the WAN of the pfsense. Setup a 1:1 NAT that points 10.10.10.102 to 10.10.20.100. The setup a firewall rule to allow any hostname/ip on any port to port 80 on ip 10.10.20.100.
    Then on 10.10.10.100 try to go to a website on 10.10.10.102.



  • Ok, i will try to configure this.

    The goal is, to use this with a vpn connection between server and client.
    ARPs can not be resolved over IPSec. This is the reason to use proxy arp.
    It is some kind of Layer-2 connection through IPSec.

    The server is not on the same location as the client, and the communication
    is also without public IPs. But i want to start with a small local configuration to
    understand proxy arp.

    in your setup, the client and server IPs are in the physical subnet, which is directly
    connected to pfsense.

    But i think - after reading the rfc - it should also be possible to move the client
    and server IPs in a different (logical) subnet. i can see that the communication starts
    by resolving the arp (answered by pfsense)  and the client also starts to send SYN.



  • hi !

    i tried your configuration. here is the result:

    Red:192.168.10.250/24 –--  WAN:192.168.10.254/24:| PFSense |LAN:192.168.2.254/24 --- Green:192.168.2.100/24
            NO Gateway !                                                                                                                      GW: 192.168.2.254

    ARP-Proxy on WAN: 192.168.10.100 (single address)
    1:1 NAT on WAN: External 192.168.10.0
                              Internal 192.168.2.0/24

    Http request is successfull ! thanks for your support.

    –--------------------  packets on WAN side:---------------------------------                        ---------------  packets on LAN side:--------------------------------- 
    SYN :      Destination IP = 192.168.10.100 , Source IP = 192.168.10.250  >>>  (pfsense) >>>  Destination IP = 192.168.2.100, Source IP = 192.168.10.250
    SYN,ACK: Destination IP = 192.168.10.250 , Source IP = 192.168.10.100  <<< (pfsense) <<< Destination IP = 192.168.10.250, Source IP = 192.168.2.100
    ACK:        Destination IP = 192.168.10.100 , Source IP = 192.168.10.250  >>>  (pfsense) >>>  Destination IP = 192.168.2.100, Source IP = 192.168.10.250

    from 192.168.10.100 perspective, the webserver is in the same subnet as the client. the client can connect to the server without using a default gateway.

    Next step should be, that client and server are connected with a vpn-tunnel.... ::) :'(


Locked