On 2011/01/25 11:30, Brian Keefer wrote: > I'm embarrassed to ask such a simple question. Since 3.4 I've > been running PF firewalls, but mostly for very small networks with > 32 or fewer external addresses. I always assigned my external IPs > to my external interface and then did NAT or bi-NAT. > > Now I'm building firewalls for much larger networks with /25 of > external IPs. They will all be either static or dynamic NAT, so > proxy-ARP doesn't seem like the way to go. Do I absolutely have > to assign all these addresses to the external interface in order > to use them for nat-to/binat-to, or can I simply have the upstream > router set a route to one IP that I assign to the external interface > (this is done already) and PF will be able to handle the translations?
This will work fine, there is no need to answer ARP for these addresses if you have already arranged for the traffic to reach the firewall.