proxy ARPing - was Re: [Wylug-help] Possible IP subnet conflict

Nigel Metheringham Nigel.Metheringham at dev.InTechnology.co.uk
19 Dec 2002 11:57:34 +0000 

On Thu, 2002-12-19 at 11:40, Gary Stainburn wrote:
> On Thursday 19 Dec 2002 11:22 am, Nigel Metheringham wrote:
> > On Thu, 2002-12-19 at 11:01, Gary Stainburn wrote:
> > > Hi Folks,
> > >
> > > one possible solution I've thought of for this problem is proxy ARPing.
> > > Would it be possible to get the Linux firewall respond to ARP requests
> > > for the remote 10.1.0.x IP addresses, and then get it to forward them to
> > > the remote end.  In this way, there would be no need to change any
> > > routing information.
> >
> > That certainly can be done - and I have done it - but only for single IP
> > addresses.  You would need to put a full set (ie up to 255) arp entries
> > into the table - probably not a problem, but get any bigger and it would
> > be.
> >
> > 	Nigel.
>
> Thanks for that Nigel, I think that there's actually ony a few IP addresses
> used so it won't be too bad.
>
> Any clues as to how to do it?

On looking at the man page for arp you get this:-

       -s hostname hw_addr, --set hostname
              Manually create an ARP address mapping entry for  host  hostname
              with hardware address set to hw_addr class, but for most classes
              one can assume that the usual presentation can be used.  For the
              Ethernet  class,  this  is  6 bytes in hexadecimal, separated by
              colons. When adding proxy arp entries (that is  those  with  the
              publish  flag  set  a  netmask may be specified to proxy arp for
              entire subnets. This is not good practice, but is  supported  by
              older  kernels because it can be useful. If the temp flag is not
              supplied entries will be permanent stored into the ARP cache.
              NOTE: As of kernel 2.2.0 it is no longer possible to set an  ARP
              entry  for  an entire subnet. Linux instead does automagic proxy
              arp when a route exists and it is  forwarding.  See  arp(7)  for
              details.

So actually that looks as though you can just set up a route, and on
your internal network interface set up proxy arp - so do something
like:-

  sysctl -w net.ipv4.conf.eth0.proxy_arp=1

and in theory it should "just work"

If the default route for the network goes through that bbox then it will
proxy arp for *everything* not on the local network which may be
awkward.

	Nigel.
--
[ Nigel Metheringham           Nigel.Metheringham@InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]