An "arp ... pub" replacement?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I'm looking for advice on best practice for setting up a Fedora / CentOS firewall in the following situation:

LAN (10.0.0.0/24)
       |
       |
       | (10.0.0.1)
   Firewall
       | (198.51.100.2/27)
       |
       | (198.51.100.1/27)
 ISP's Router
       |
       |
       |
    Internet


In addition to 198.51.100.1 and 192.51.100.2, the ISP is providing 28 extra public IPs (192.51.100.3-30), and I want to the firewall to be able to DNAT those IPs to internal machines, which means it needs to answer ARP for them.

The router is routing all of the public IPs directly to its internal NIC. In an ideal world, we'd just reconfigure the router so that the IPs are routed via the firewall rather than being directly connected. However, I'm finding that for managed routers, ISPs are increasingly unwilling to set up custom routing.


The available options seem to be:

1. Add aliases for all of the addresses onto the internet NIC of the firewall. You used to be able to create an /etc/sysconfig/network-scripts/ifcfg-eth0-range0 file with the address range in it and have the network scripts automatically add the aliases. Unfortunately NetworkManager no longer seems to support this. Also this feels quite messy because you end up with a lot of addresses attached to the NIC, and strictly speaking those addresses don't really belong to the firewall since they are intended to be forwarded through to internal machines.

2. Route 198.51.100.0/27 to a dummy NIC and enable proxy ARP on the internet NIC. Proxy ARP is a fairly blunt tool and will cause the firewall to answer ARP for any address, not just that subnet.

3. The only thing the firewall actually needs to do with these addresses is answer ARP requests for them. It used to be possible to use the arp command to set this up with something like:
  arp -i eth0 -Ds 198.51.100.0 eth0 netmask 255.255.255.24 pub
This method is documented in TLDP, but the arp command is long deprecated in favour of "ip neigh" which doesn't appear to support doing this.


Can anyone advise whether any "best practice" for this kind of setup exists?

Thanks.


--
- Steve
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux