Discussion:
Which way is best / Proxy ARP
(too old to reply)
David Mahon
2005-10-21 22:21:21 UTC
Permalink
OK, I've just spent a while swearing whilst reconfiguring my network as
a bit of a study, to see if a firebrick would help a friend with his.

Requirements:

1) Static block of 8 IP's (5 useable)
2) 3 servers
3) 10-16 computers, using DHCP and NAT

So, 2 options:

1) Set up firebrick with 2 LAN segments (one public, one private)
2) Set up private LAN, use mapping to map 3 addresses in both directions

Which is the best option?

Second question:

Whilst looking at this, I set up my network to use the same network on
the WAN and LAN interfaces instead of the "proper" router setup with
different subnets on each interface.

Do I have to set up a gateway, or should I leave it as "none".

If I want the firebrick to have a real IP address (i.e. NOT stealth), do
I have to set up proxy ARP? If so, does that need 2 routing rules (one
for each direction)? How do I do it correctly?
--
David Mahon
Carl Hibbard
2005-10-22 06:46:05 UTC
Permalink
Post by David Mahon
1) Set up firebrick with 2 LAN segments (one public, one private)
2) Set up private LAN, use mapping to map 3 addresses in both directions
Which is the best option?
The older example setup's are still not bad in case you have not seen
them:-

http://www.firebrick.co.uk/wf1730/example/ex04.html
Post by David Mahon
Whilst looking at this, I set up my network to use the same network on
the WAN and LAN interfaces instead of the "proper" router setup with
different subnets on each interface.
Do I have to set up a gateway, or should I leave it as "none".
If I want the firebrick to have a real IP address (i.e. NOT stealth), do
I have to set up proxy ARP? If so, does that need 2 routing rules (one
for each direction)? How do I do it correctly?
http://www.firebrick.co.uk/wf1730/example/ex03.html

HTH
David Mahon
2005-10-22 09:51:33 UTC
Permalink
Post by Carl Hibbard
Post by David Mahon
1) Set up firebrick with 2 LAN segments (one public, one private)
2) Set up private LAN, use mapping to map 3 addresses in both directions
Which is the best option?
The older example setup's are still not bad in case you have not seen
them:-
http://www.firebrick.co.uk/wf1730/example/ex04.html
I had been looking for those, although port mapping itself is not appropriate
as he has 2 servers, both of which require multiple ports let through (and
the same ports in some cases).

So - address mapping or multiple subnets? Which would be best?
Post by Carl Hibbard
Post by David Mahon
Whilst looking at this, I set up my network to use the same network on
the WAN and LAN interfaces instead of the "proper" router setup with
different subnets on each interface.
Do I have to set up a gateway, or should I leave it as "none".
If I want the firebrick to have a real IP address (i.e. NOT stealth), do
I have to set up proxy ARP? If so, does that need 2 routing rules (one
for each direction)? How do I do it correctly?
http://www.firebrick.co.uk/wf1730/example/ex03.html
Thanks. That ones fine. Looks like I just use the stealth setup but add in
the router's address as gateway to allow it to gain an IP (so I can access
it). Just tested it on my setup and it works fine. I might leave mine like
this.

I can leave the DHCP server for him on the router, so no need for proxy ARP.
--
David Mahon
Reply to ***@amigo.co.uk
Carl Hibbard
2005-10-22 10:12:01 UTC
Permalink
Post by David Mahon
Post by Carl Hibbard
http://www.firebrick.co.uk/wf1730/example/ex04.html
I had been looking for those, although port mapping itself is not appropriate
as he has 2 servers, both of which require multiple ports let through (and
the same ports in some cases).
Not sure why just port mapping isn't fine?
Post by David Mahon
Post by Carl Hibbard
http://www.firebrick.co.uk/wf1730/example/ex03.html
Thanks. That ones fine. Looks like I just use the stealth setup but add in
the router's address as gateway to allow it to gain an IP (so I can access
it). Just tested it on my setup and it works fine. I might leave mine like
this.
I can leave the DHCP server for him on the router, so no need for proxy ARP.
I prefer the PC's to use gateway and dns from the router but as the
example says you can use the brick as well
David Mahon
2005-10-22 13:59:18 UTC
Permalink
Post by Carl Hibbard
Post by David Mahon
Post by Carl Hibbard
http://www.firebrick.co.uk/wf1730/example/ex04.html
I had been looking for those, although port mapping itself is not appropriate
as he has 2 servers, both of which require multiple ports let through (and
the same ports in some cases).
Not sure why just port mapping isn't fine?
Because about 20 different ports would need mapping. And how would I map
port 22/25/80/443 to two different servers (without usuing unusually numbered
ports)?
--
David Mahon
Reply to ***@amigo.co.uk
Carl Hibbard
2005-10-22 15:56:09 UTC
Permalink
Post by David Mahon
Post by Carl Hibbard
Post by David Mahon
Post by Carl Hibbard
http://www.firebrick.co.uk/wf1730/example/ex04.html
I had been looking for those, although port mapping itself is not appropriate
as he has 2 servers, both of which require multiple ports let through (and
the same ports in some cases).
Not sure why just port mapping isn't fine?
Because about 20 different ports would need mapping. And how would I map
port 22/25/80/443 to two different servers (without usuing unusually numbered
ports)?
Sorry only half noticed the "same ports" cases

If it is possible to increase the number of ip's then I would go to 32
and give the whole lot real addresses and stop all the messing about
since that works so well with a brick using the example three scenario
David Mahon
2005-10-22 17:37:05 UTC
Permalink
Post by Carl Hibbard
Post by David Mahon
Post by Carl Hibbard
Post by David Mahon
Post by Carl Hibbard
http://www.firebrick.co.uk/wf1730/example/ex04.html
I had been looking for those, although port mapping itself is not appropriate
as he has 2 servers, both of which require multiple ports let through (and
the same ports in some cases).
Not sure why just port mapping isn't fine?
Because about 20 different ports would need mapping. And how would I map
port 22/25/80/443 to two different servers (without usuing unusually numbered
ports)?
Sorry only half noticed the "same ports" cases
If it is possible to increase the number of ip's then I would go to 32
and give the whole lot real addresses and stop all the messing about
since that works so well with a brick using the example three scenario
Would be nice, but he's only got 8 IPs (5 useable). I suggested AAISP initially
but the bandwidth limit was too much of a constraint.
--
David Mahon
Reply to ***@amigo.co.uk
Ben Mack
2005-10-24 09:45:51 UTC
Permalink
In article <435a45b6$***@news.amigo.co.uk>, David Mahon <***@amigo.co.uk>
writes
Post by David Mahon
Post by Carl Hibbard
Post by David Mahon
Post by Carl Hibbard
http://www.firebrick.co.uk/wf1730/example/ex04.html
I had been looking for those, although port mapping itself is not appropriate
as he has 2 servers, both of which require multiple ports let through (and
the same ports in some cases).
Not sure why just port mapping isn't fine?
Because about 20 different ports would need mapping. And how would I map
port 22/25/80/443 to two different servers (without usuing unusually numbered
ports)?
Port Mapping is maybe a bit of a misnomer on the FireBrick - it can also
be used for address mapping, e.g. all incoming traffic to public address
1 gets mapped to internal address 10.0.0.1, all to public address 2
mapped to 10.0.0.2, etc.

And don't forget Port Groups are your friend... ;-)
--
Ben Mack
Watchfront Electronics - Bespoke R&D - http://www.watchfront.co.uk/
Watchfront Internet - ADSL, Colo - http://www.watchfront.net/
Are you bricking it? - Firewalls - http://www.firebrick.co.uk/
David Mahon
2005-10-24 12:40:26 UTC
Permalink
Post by Ben Mack
Post by David Mahon
Because about 20 different ports would need mapping. And how would I map
port 22/25/80/443 to two different servers (without usuing unusually numbered
ports)?
Port Mapping is maybe a bit of a misnomer on the FireBrick - it can also
be used for address mapping, e.g. all incoming traffic to public address
1 gets mapped to internal address 10.0.0.1, all to public address 2
mapped to 10.0.0.2, etc.
That's what I meant in my original question of address mapping or two
separate networks [which I see you've answered in another message].
Post by Ben Mack
And don't forget Port Groups are your friend... ;-)
Oh, I use plenty of those, I am sure I will set them up for him if he
decides to go the firebrick route (no pun intended).
--
David Mahon
Ben Mack
2005-10-24 10:00:34 UTC
Permalink
Post by David Mahon
OK, I've just spent a while swearing whilst reconfiguring my network as
a bit of a study, to see if a firebrick would help a friend with his.
1) Static block of 8 IP's (5 useable)
2) 3 servers
3) 10-16 computers, using DHCP and NAT
1) Set up firebrick with 2 LAN segments (one public, one private)
2) Set up private LAN, use mapping to map 3 addresses in both directions
Which is the best option?
I guess it is largely down to personal opinion. I favour option 1), as I
prefer to see public facing servers on their actual public addresses
rather than using address mapping, especially as some apps get upset by
NAT

If you go with 1), I'd suggest using the brick as the gateway for all
your machines, so traffic between machines on different LAN subnets gets
routed by the brick, and doesn't have to go to the WAN router and back
Post by David Mahon
If I want the firebrick to have a real IP address (i.e. NOT stealth), do
I have to set up proxy ARP? If so, does that need 2 routing rules (one
for each direction)? How do I do it correctly?
Although ex03 that Carl pointed you to does use stealth and a real
address for the brick, I personally prefer to use proxy ARP routing
rules for this. Yes you do need 2 rules, e.g. for public addresses
1.1.1.0/29, put WAN router on .6, FB on .5 (both LAN and WAN subnets),
LAN machines on .1-4,
Routing Rule 1 - traffic from LAN to .6, send to WAN and proxy ARP
Routing Rule 2 - traffic from WAN to .1-4, send to LAN and proxy ARP
--
Ben Mack
Watchfront Electronics - Bespoke R&D - http://www.watchfront.co.uk/
Watchfront Internet - ADSL, Colo - http://www.watchfront.net/
Are you bricking it? - Firewalls - http://www.firebrick.co.uk/
Carl Hibbard
2005-10-24 12:14:46 UTC
Permalink
On Mon, 24 Oct 2005 11:00:34 +0100, Ben Mack
Post by Ben Mack
Although ex03 that Carl pointed you to does use stealth and a real
address for the brick, I personally prefer to use proxy ARP routing
rules for this. Yes you do need 2 rules, e.g. for public addresses
1.1.1.0/29, put WAN router on .6, FB on .5 (both LAN and WAN subnets),
LAN machines on .1-4,
Routing Rule 1 - traffic from LAN to .6, send to WAN and proxy ARP
Routing Rule 2 - traffic from WAN to .1-4, send to LAN and proxy ARP
Interesting...

When you have time how about the possibility of adding several common
example setups to the web site since that would really help

Thanks
Andrew Hodgson
2005-10-30 23:23:25 UTC
Permalink
Post by Carl Hibbard
On Mon, 24 Oct 2005 11:00:34 +0100, Ben Mack
Post by Ben Mack
Although ex03 that Carl pointed you to does use stealth and a real
address for the brick, I personally prefer to use proxy ARP routing
rules for this. Yes you do need 2 rules, e.g. for public addresses
1.1.1.0/29, put WAN router on .6, FB on .5 (both LAN and WAN subnets),
LAN machines on .1-4,
Routing Rule 1 - traffic from LAN to .6, send to WAN and proxy ARP
Routing Rule 2 - traffic from WAN to .1-4, send to LAN and proxy ARP
Interesting...
When you have time how about the possibility of adding several common
example setups to the web site since that would really help
Yes, for example it doesn't look at the setup which I read about in
several firewall books I have got - that is the firewall acts as the
router and has a subnet which is on the firewall and a subnet not on
the firewall, and it sits on both subnets. This example was one of
the options in the now defunct wizzard.

Andrew.
--
Andrew Hodgson in Bromyard, Herefordshire, UK.
My Email: use <andrew at hodgsonfamily dot org>.
David Mahon
2005-10-24 12:43:42 UTC
Permalink
Post by Ben Mack
Post by David Mahon
OK, I've just spent a while swearing whilst reconfiguring my network as
a bit of a study, to see if a firebrick would help a friend with his.
1) Static block of 8 IP's (5 useable)
2) 3 servers
3) 10-16 computers, using DHCP and NAT
1) Set up firebrick with 2 LAN segments (one public, one private)
2) Set up private LAN, use mapping to map 3 addresses in both directions
Which is the best option?
I guess it is largely down to personal opinion. I favour option 1), as I
prefer to see public facing servers on their actual public addresses
rather than using address mapping, especially as some apps get upset by
NAT
If you go with 1), I'd suggest using the brick as the gateway for all
your machines, so traffic between machines on different LAN subnets gets
routed by the brick, and doesn't have to go to the WAN router and back
The brick, router (gateway) and the servers all have to be on the same
network as the ISP uses the same IP on the WAN/LAN segment of the router
and will only give one IP block.
Post by Ben Mack
Post by David Mahon
If I want the firebrick to have a real IP address (i.e. NOT stealth), do
I have to set up proxy ARP? If so, does that need 2 routing rules (one
for each direction)? How do I do it correctly?
Although ex03 that Carl pointed you to does use stealth and a real
address for the brick, I personally prefer to use proxy ARP routing
rules for this. Yes you do need 2 rules, e.g. for public addresses
1.1.1.0/29, put WAN router on .6, FB on .5 (both LAN and WAN subnets),
LAN machines on .1-4,
Routing Rule 1 - traffic from LAN to .6, send to WAN and proxy ARP
Routing Rule 2 - traffic from WAN to .1-4, send to LAN and proxy ARP
Thanks.
--
David Mahon
Andrew Hodgson
2005-10-30 23:21:30 UTC
Permalink
Post by David Mahon
OK, I've just spent a while swearing whilst reconfiguring my network as
a bit of a study, to see if a firebrick would help a friend with his.
1) Static block of 8 IP's (5 useable)
2) 3 servers
3) 10-16 computers, using DHCP and NAT
1) Set up firebrick with 2 LAN segments (one public, one private)
This is the way I have a private bit on my network.
Post by David Mahon
2) Set up private LAN, use mapping to map 3 addresses in both directions
However this has the advantage of allowing internal users to show up
correctly in the log, and not using the single public address for the
NAT. If one of those servers for example is a domain controler, it
may be better to do option 2 whilst allowing the FB to map one of the
public addresses to one of the internal addresses.
Post by David Mahon
Whilst looking at this, I set up my network to use the same network on
the WAN and LAN interfaces instead of the "proper" router setup with
different subnets on each interface.
Do I have to set up a gateway, or should I leave it as "none".
If I want the firebrick to have a real IP address (i.e. NOT stealth), do
I have to set up proxy ARP? If so, does that need 2 routing rules (one
for each direction)? How do I do it correctly?
I was just under the impression you could do this through the subnets
setup interface - I don't believe you need proxy ARP at all? You can
then use either the router or the brick as the gateway address,
although if you are having additional subnets set up on the brick you
should use this to avoid problems.

Andrew.
--
Andrew Hodgson in Bromyard, Herefordshire, UK.
My Email: use <andrew at hodgsonfamily dot org>.
Ben Mack
2005-10-31 10:00:28 UTC
Permalink
Post by Andrew Hodgson
Post by David Mahon
Whilst looking at this, I set up my network to use the same network on
the WAN and LAN interfaces instead of the "proper" router setup with
different subnets on each interface.
Do I have to set up a gateway, or should I leave it as "none".
Unless in stealth mode, the brick should always have a default gateway
Post by Andrew Hodgson
Post by David Mahon
If I want the firebrick to have a real IP address (i.e. NOT stealth), do
I have to set up proxy ARP? If so, does that need 2 routing rules (one
for each direction)? How do I do it correctly?
I was just under the impression you could do this through the subnets
setup interface - I don't believe you need proxy ARP at all? You can
then use either the router or the brick as the gateway address,
although if you are having additional subnets set up on the brick you
should use this to avoid problems.
You don't need proxy ARP to give the brick a real address

However you *do* need proxy ARP (or stealth routing) if you want the
same subnet on each side of the brick, otherwise how can a device on,
say, the LAN, talk to a device in the same subnet on the WAN?

HTH
--
Ben Mack
Watchfront Electronics - Bespoke R&D - http://www.watchfront.co.uk/
Watchfront Internet - ADSL, Colo - http://www.watchfront.net/
Are you bricking it? - Firewalls - http://www.firebrick.co.uk/
Andrew Hodgson
2005-10-31 18:22:35 UTC
Permalink
On Mon, 31 Oct 2005 10:00:28 +0000, Ben Mack
Post by Ben Mack
Post by Andrew Hodgson
Post by David Mahon
Whilst looking at this, I set up my network to use the same network on
the WAN and LAN interfaces instead of the "proper" router setup with
different subnets on each interface.
Do I have to set up a gateway, or should I leave it as "none".
Unless in stealth mode, the brick should always have a default gateway
Post by Andrew Hodgson
Post by David Mahon
If I want the firebrick to have a real IP address (i.e. NOT stealth), do
I have to set up proxy ARP? If so, does that need 2 routing rules (one
for each direction)? How do I do it correctly?
I was just under the impression you could do this through the subnets
setup interface - I don't believe you need proxy ARP at all? You can
then use either the router or the brick as the gateway address,
although if you are having additional subnets set up on the brick you
should use this to avoid problems.
You don't need proxy ARP to give the brick a real address
However you *do* need proxy ARP (or stealth routing) if you want the
same subnet on each side of the brick, otherwise how can a device on,
say, the LAN, talk to a device in the same subnet on the WAN?
Yes, sorry about that - read the question again!

Andrew.
--
Andrew Hodgson in Bromyard, Herefordshire, UK.
My Email: use <andrew at hodgsonfamily dot org>.
Loading...