Proxy ARP and Routing

From: Crist Clark (Crist.Clark@globalstar.com)
Date: Thu Feb 15 2007 - 18:09:16 EST


A pretty common scenario I would imagine. We have
some CPE from our ISP connected to a firewall. We
have a small number of addresses from the ISP. It's
a /29 net. That's 6 usable IPs with one already used
by the CPE. We have a firewall (Check Point) with
Solaris underneath. We have hosts we'd like to give
public IP addresses, but put behind the firewall in
a DMZ. We do not want to wrangle with the ISP to get
special routing set up on the CPE.

Ideally, what we'd like to do is put the hosts with
the public IPs on the physical DMZ network. But how
to route the packets there? We of course need to proxy
ARP for the IP address on the firewall's external
interface. A simple,

        arp -s <ip> <fw-ext-mac> pub

Addresses this. But once we do that, how do we get
packets to the host on the DMZ? The problem here
being that the host with <ip> is directly connected
on the DMZ interface. There is already a host with
that IP address in the ARP table so,

        route <ip> <dmz-int> -iface

On the firewall adds the route entry, but the firewall
won't ever try to look up <ip> since it already has
an entry for it. If I try to manually add an entry
for <ip>'s real MAC on the internal interface,

        arp -s <ip> <real-mac>

I just clobbered my proxy ARP for the external interface.

The problem here is that the Solaris ARP cache doesn't
seem to care about interfaces. I cannot tell it that
the same IP has different MAC addresses depending on
the interface in question. However, when I do an 'arp -a'
there is an interface field... wha's that for? Is there
actually a way to sneak this info in? I don't see one
in the IOCTL API for ARP. Is there a way in the STREAMS
API?

Of course, the work around is to put two IP addresses
on the machine on the DMZ, the public IP and some other
IP, public or RFC1918. Then I can put in a regular host
route,

        route <ip> <dmz-ip>

Rather than the directly connected "-iface" route. However,
we have a case where the DMZ host is an appliance device
where we don't know how to configure or if it can support
multiple IP addresses on a single interface.

Note that doing NAT is a variation of the second, workaround
configuration. However, we are concerned that the protocols
that the DMZ host will be using won't play well with NAT
(proprietary VoIP).

--
Crist J. Clark                               crist.clark@globalstar.com
Globalstar Communications                                (408) 933-4387
BB<information contained in this e-mail message is confidential, intended only
for the use of the individual or entity named above. If the reader of this
e-mail is not the intended recipient, or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that any review,
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this e-mail in error, please contact
postmaster@globalstar.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers


This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:41:39 EDT