23.08.2011 13:27, Janne Snabb пишет:
On Tue, 23 Aug 2011, Bartek W. aka Mastier wrote:
I completely don't see the point of using arp-proxy at all.
Can you enlight me?
I do not know about the particular needs of the OP. I have not been
paying attention. Sorry if I misunderstood something.
But in real world:
- The upstream router is often managed by the ISP and there might
be no way to put a static route towards the firewall in that router.
In any case if you want to use some globally rotuable IPs for whatever
purpose on your side, ISP already have to configure route for these IPs
toward your (customer) router. Typically, this is exactly static route
(which then distributed on ISP's backbone using OSPF or like).
If you bild some intranet with nat on some places, there is no changes,
but IP space.
- The available external IP block may be too small to allow subnetting
it to "outside of the firewall" and "inside of the firewall" networks.
This is becoming more and more of an issue as the IPv4 address space
has already run out but people have not migrated to IPv6.
You can use small IP block on your internal LAN and use some of them on
firewall itself not on "outside of the firewall".
- The IP addresses might have been previously assigned without thinking
that there will be a firewall in future. Then later it is decided that a
firewall is needed but it is not possible to renumber the IP addresses
of every host (due to lack of budget, skills, documentation, etc).
Bridging firewall can solve this problem.
All of the above are very common situations in small to medium
businesses. Proxy ARP on the firewall solves all of them easily.
You just turn it on and everything works.
If your ISP and moreover the world doesn't know how to reach
ip v.x.y.z, proxy arp will not help at all.
(Please do not misunderstand me: I am not saying that it is an
elegant solution. However in many cases it is the only practical
solution.)
--
Janne Snabb / EPIPE Communications
[email protected] - http://epipe.com/
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
--
Sincerely yours,
Artyom Viklenko.
-------------------------------------------------------
[email protected] | http://www.aws-net.org.ua/~artem
[email protected] | JID: [email protected]
FreeBSD: The Power to Serve - http://www.freebsd.org
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
