I have an interesting setup utilizing proxy arp and I was wondering if anyone has seen this before/there is a name for it. My firewall is an edgerouter and the server is a linux host.
I wanted to configure a host with a static external address but I wanted/needed the firewall to remain in place and not use NAT at all.
I already had the host working with internal address so I just added the external IP address to the existing server interface (not it's own/new interface) and added a route for the external address to the internal address on the edgerouter and to my supprise it started working. I removed all the NAT and replaced it with just a SNAT to rewrite the outgoing IP (which brings up another question, does using SNAT still require the firewall to maintain the connection table/state?). The firewall works beautifully on the edgerouter before the server now so no need for firewall on server.
I then realized I had proxy arp enabled on my WAN interface and disabled it. A few days later the connection stopped responding on the linux server external address, so I re-enabled proxy arp and it started working again. So need proxy arp for this to work...
Is there anything wrong with this setup? I was also able to use this technique to route an external IP address across several wireless links all with internal addresses (of course needed to add route to each antenna but it works beautifully). What kind of problems could this cause? I am aiming to have everything routed only, no bridges (unless at edges) so I would like to use this to provide customer external address if needed, can I make this more secure/prevent abuse of the proxy arp? (I suspect I would need to add a route to firewall to even get this to work, but I wanted to ensure this technique could not be abused from the customer link)
Thanks for anyone's input! Your help is greatly appreciated
No comments:
Post a Comment