On 01/25/2011 01:30:45 PM, Brian Keefer wrote:
> I'm embarrassed to ask such a simple question. Since 3.4 I've been
> running PF firewalls, but mostly for very small networks with 32 or
> fewer external addresses. I always assigned my external IPs to my
> external interface and then did NAT or bi-NAT.
>
> Now I'm building firewalls for much larger networks with /25 of
> external IPs. They will all be either static or dynamic NAT, so
> proxy-ARP doesn't seem like the way to go. Do I absolutely have to
> assign all these addresses to the external interface in order to use
> them for nat-to/binat-to, or can I simply have the upstream router
> set
> a route to one IP that I assign to the external interface (this is
> done already) and PF will be able to handle the translations?
You should expect the ISP to route. (On their DSL lines, at least
here, they often bridge, which is why you must fuss about with
ARP.)
Of course, it all depends on how the ISP does it.
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
