proxy ARPing - was Re: [Wylug-help] Possible IP subnet conflict

[Gary Stainburn]

On Tuesday 14 Jan 2003 12:21 pm, John Hodrien wrote:
> On Tue, 14 Jan 2003, Gary Stainburn wrote:
> > I'm just about to set up a test system to try this out.
> >
> > I'm going to have a Linux box on my network with IP address 10.1.1.20/16
> > on eth0.
> >
> > It's going to have IP address 192.168.1.1/24 on eth1 connected via a
> > cross-over to another Linux box pretending to be a pair of Cisco routers,
> > then via another cross-over to a destination host on 10.1.0.34 pretending
> > to be their web server.
> >
> > Questions:
> >
> > Which kernel version did you use?
>
> 2.4.18-19.7.x (Redhat 7.3)
>
> > How do I set up the ARP proxying for 10.1.0.x?
>
> in /etc/sysctl.conf:
>
> net.ipv4.ip_forward = 1
> net.ipv4.conf.eth0.proxy_arp = 1
>
> eth0 is the outside world in my case, and eth1 is my enclosed subnet.  ARP
> proxying has nothing to do with IP, since it's lower level.  It just echos
> arp-requests and the like from one interface to another.  Otherwise when
> someone is looking for a machine behind you firewall thang, noone will
> reply. The request has to be passed to the inside so that they can reply.
>
> > How can I NAT the traffic for 10.1.0.x and route it through the cisco box
> > while not stuffing the rest of the 10.1.x.x network on eth0?
>
> Shouldn't need to be NATted I don't think.  I'm somewhat confused by the
> network description.  Can you do it again for my befuddled mind?
>
> > (I need the traffic NATing so that the other end knows to return the
> > traffic to my box)?
>
> There's not necessarily any need to NAT.  I'm certainly not.
>
> > Is this something I can configure into a Smoothwall/IPCOPs style
> > distribution or do I need a cut-down RH dist for the job?
>
> Assume you can do it with whatever, I just happened to have a RedHat box
> doing nothing useful.
>
> Sorry for that gibber, I've been a tad vague.
>
> jh

John,

here's a description of what I'm looking at:

Basically, I've got a subnet 10.1.0.0/16 at Leeds with other 10. subnets
dotted about - all this works fine using standard IP routing.

On this network I have a linux box on 10.1.1.20 which will sit between us and
a Cisco router.  This link will use IP addresses 192.168.1.1 and 192.168.1.2.
The cisco will be connected via an ISDN line to another Cisco, which in turn
will be connected to what is effectively a VPN hub.  An number of service
providers will be connecting to the same hub, and therefore be available to
us.

One of these service providers is using the subnet 10.1.0.x/24 subnet and I
need to be able to access web hosts on that subnet from my network.

I don't think that simply proxying the ARP will work in this instance, as the
ARP won't be any good.  I think that what I actually need to do is have my
firewall SPOOF the ARP by responding to ARP requests for the approriate IP
addresses. In other words, ARP requests for 10.1.1.20, 10.1.0.34 etc., to all
be responded to by the firewall with it's own MAC address.

Then once the individial ARP's have been dealt with and IP traffic is going to
the firewall, I need to then forward that IP to the CISCO.  I need to NAT the
traffic because the people at the other end only want to see a single IP
address.
--
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000