pfSense Gold Subscription

Author Topic: Proxyarp config help  (Read 5024 times)

0 Members and 1 Guest are viewing this topic.

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Proxyarp config help
« on: July 25, 2006, 07:42:32 pm »
I'm trying to use pfSense to replace a Linux iptables firewall that I have already setup.  I couldn't get proxyarp to work for the life of me.  I use Shorewall on the Linux system to configure rules and proxyarp.  Here's a basic outline of the system:

ISP- Provides two subnets 1.1.1.0/27 and 2.2.2.0/27.  Occupies gateway addresses of 1.1.1.1 and 2.2.2.1.

Firewall WAN interface- Occupies one public IP, 1.1.1.2, and proxyarps the remaining public IP's in both subnets to a DMZ interface
Firewall DMZ interface- 10.0.0.1/24, needs NAT for multiple items within this subnet but proxyarps the gateway addresses for both subnets to systems that occupy the public IP's

This is a very straightforward config in Shorewall/iptables, but pfSense seemed to lack the config options needed to pull this off.  For example, the GUI only has one drop-down field for interface, which doesn't seem clear to me.  Is that the interface that the firewall responds to ARP requests on or is it the interface that actually has the system that really occupies that address?

A little help on configuring this for a pfSense newbie would be appreciated greatly.

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Proxyarp config help
« Reply #1 on: July 25, 2006, 08:12:44 pm »
- Set up the additional IPs as VIP at firewall>vip and choose type proxyARP
- Set up portforwards or even 1:1 NATs to your destinations inside your local subnets at firewall>NAT, portforward or 1:1 (depending what you prefer)
- Add firewall rules in case you want to use 1:1 NAT (portforward will generate the rules for you atomatically) to the internal IP of the destination client
- Apply all settings and be happy

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Proxyarp config help
« Reply #2 on: July 25, 2006, 08:29:30 pm »
I'd like to keep all form of NAT out of the picture for the proxyarp'ed hosts.  Per my example, they would have addresses 1.1.1.14/27 and similar, with a default gateway of 1.1.1.1.  NAT isn't used in the current config except for hosts that are in the 10.0.0.0/24 subnet.

Maybe I didn't make that clear in my first post.  Sorry.

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Proxyarp config help
« Reply #3 on: July 25, 2006, 08:38:33 pm »
Then I don't know what you want to do with VIPs. You probably talk about a routing setup? Or maybe I don't understand your setup at all  ???

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Proxyarp config help
« Reply #4 on: July 25, 2006, 08:43:19 pm »
I'm thinking you don't *fully* understand.

I have multiple hosts on the physical network that is connected to the DMZ interface.  Some are in the same subnet as the DMZ interface address, but the rest are in the same subnet(s) as the WAN interface.  The firewall is currently proxying ARP requests from one physical network to the other for the hosts I've defined...quite gracefully at that.  Perhaps pfSense can't even do this?

It seems like basic functionality for a firewall to me...even more basic than a bridging firewall would be.

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Proxyarp config help
« Reply #5 on: July 25, 2006, 08:52:55 pm »
I don't think that setup will work with pfSense. You either can bridge interfaces or use NAT. VIPs are only thought to be additional IPs at an interface which then can be used to NAT them somewhere else (besides of CARP, which can be used for services running on the firewall directly or be natted). Maybe you can make your setup simply less comples. pfSense offers NAT reflection for portforwards (turn on at system>advanced) so you can access your internal clients by it's public IP.

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Proxyarp config help
« Reply #6 on: July 25, 2006, 09:26:21 pm »
I guess I'm confused, then.  What is the proxyarp mechanism for?  ???

Every OS that has any decent TCP/IP layer can have multiple addresses within the same subnet assigned to one physical interface.  I thought the whole point of proxyarp was to respond on interface A as though you were the system on interface B...hence proxying an ARP request from a device on A to the device on B and vice versa.

Maybe proxyarp in the Linux world means something totally different  :o

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Proxyarp config help
« Reply #7 on: July 25, 2006, 09:31:58 pm »
The way I described it is how pfSense makes use of proxyARP or at least how you can use it from the gui.

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Proxyarp config help
« Reply #8 on: July 25, 2006, 09:48:36 pm »
Huh...there doesn't seem to be any proxying at all going on in your example.  Is there any more documentation on Proxyarp/Carp somewhere?

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Proxyarp config help
« Reply #9 on: July 25, 2006, 10:36:00 pm »
VIPs=Virtual IPs like CARP, ProxyARP, ...see my former post:

VIPs are only thought to be additional IPs at an interface which then can be used to NAT them somewhere else (besides of CARP, which can be used for services running on the firewall directly or be natted).

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Proxyarp config help
« Reply #10 on: July 25, 2006, 10:46:29 pm »
I understand the concept of VIP...that's just a fancy name for a basic ability.

What I don't understand is the use of the term "proxyarp" (any VIP discussion aside) if all that can be done with it is outlined by your example.  Your example consists of absolutely no proxying.  :-[

One definition of the word "proxy" is "on behalf of".  In your example, the firewall WAN interface is simply answering for multiple ARP requests with it's own or some derived MAC address.  It's NOT answering an ARP request "on behalf of" another host that isn't part of the WAN physical network.

Surely other pfSense users have DMZ setups with multiple systems that occupy/respond on public IP's when, in fact, they're not actually physically connected to that subnet?  I do this all the time with Linux and Sonicwall boxes.  I'm believe the Netscreen products have similar functionality.  Heck, I think even ISA has this capability.  :-[

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Proxyarp config help
« Reply #11 on: July 25, 2006, 10:56:59 pm »
Patches accepted.

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Proxyarp config help
« Reply #12 on: July 26, 2006, 12:01:19 am »
 ::) That's an easy out.  ;)

I would submit a patch if

1) I knew BSD like I do Linux
2) I was a developer

Alas, neither is true.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: Proxyarp config help
« Reply #13 on: July 26, 2006, 12:59:08 pm »
::) That's an easy out.  ;)

Not at all.  We just don't have the resources to instantly code up solutions for every persons needs.

Offline mastermindpro

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Proxyarp config help
« Reply #14 on: July 26, 2006, 01:48:29 pm »
I realize the limited developer pool.  Maybe I should try a different approach:

Should the naming of "proxyarp" in the VIP setup GUI be changed to something else so as to avoid confusion with something that might actually *proxy* *arp* requests?  I mean, if it doesn't do that, it shouldn't be called that.

I suggest "additional" or "standard" or "non-primary" or "non-CARP" as more logical names based on my current understanding of how the function works.  I know it's a small thing, but this really tripped me up and has kept me from trying to implement pfSense any further.  As other people look to convert from other platforms to pfSense, any bit would help until the documentation is more complete.