[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

double proxy arp ?



Hi,

I'm in charge of building a firewall for my company, at low cost.


My goal is to create two subnets: one for the dmz and one for the servers;
the pc are on 192.168.x.x subnets.
As we don't have access to our router which is provided by our, ISP, I want to
proxy arp the requests from the net through a packet-filter OpenBSD Box. The
network should in the end look like this:


                                           Internet
                                              |
              ------------------------------  |
             | 193.x.x.0/24              -------------
             |         ---------------      router
             |        |                   190.x.x.1
             |        | subnet           -------------
             |        | 193.x.x.0/29          |
             |        |                ----------------
             |         ---------------     190.x.x.2
             |
             |                          proxyarp/filter
             |         ---------------
             |        |                    190.x.x.5
             |        | subnet         ----------------
             |        | 193.x.x.4/28          |
             |        |                       |
             |        |
             |        |                      DMZ
             |        |                  (1 bastion host)
             |        |                
             |        |
             |        |                       |
             |        |                       |
             |        |                ----------------
             |        |                  190.x.x.10
             |         ---------------
             |                          internal router
             |                          (openbsd filter) (proxyarp ?)
             |         ---------------
             |        |                   190.x.x.13
             |        |  subnet        -----------------
             |        |  193.x.x.12/25        |
             |        |           ----------------------------
             |        |             Internal subnet
             |         ---------------
             |
              ---------------------------------------------
The problem is that ther still will be one server in the internal network that
will have to be accessible from the internet for telnet access.

I thought I could do a double proxyarp on both openbsd boxes, but It doesn't
seem to work. 

I noticed that linux's arp program could proxyarp to subnets, not only to
hosts. But I don't want to use Linux and lose ipf's power and easyness.

What would be the solution for this ?
Any Idea ?

Thanks in advance

Marc
--

Marc Dubrowski					
Kind of a Network Administrator	
K.B.I.N.I.R.Sc.N.B.				
29 rue Vautier B-1040 Brussels, Belgium