On Jan 25, 2011, at 12:15 PM, Karl O. Pinc wrote: > On 01/25/2011 01:30:45 PM, Brian Keefer wrote: >> >> Now I'm building firewalls for much larger networks with /25 of >> external IPs. They will all be either static or dynamic NAT, so >> proxy-ARP doesn't seem like the way to go. Do I absolutely have to >> assign all these addresses to the external interface in order to use >> them for nat-to/binat-to, or can I simply have the upstream router >> set >> a route to one IP that I assign to the external interface (this is >> done already) and PF will be able to handle the translations? > > You should expect the ISP to route. (On their DSL lines, at least > here, they often bridge, which is why you must fuss about with > ARP.) > > Of course, it all depends on how the ISP does it.
In this case the upstream router is maintained by our ops team and it is indeed routing (they wanted me to give them an IP to act as the gateway). So as I understand it, I should be OK to only assign a single IP (the one that the router has set it's route to for my subnet) and PF will handle the rest. Someone correct me if I'm horribly wrong there. -- bk