Re: Proxy arp for non-overlapping subnets on an interface without assigning IP aliases

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/29/19 8:05 AM, Aks Kak wrote:

I have a linux box with 2 interfaces with following IPs
eno1 : 10.1.1.0/24
eno2 : 192.168.2.0/27
I want to use network 10.3.3.0/25 as virtual IPs for 192.168.2.0/25 i.e. I will be doing DNAT using NETMAP target of IPTABLES. 

Okay.


DNAT and NETMAP, etc. is not the issue.


Okay.
For my requirement to work, main thing is who (or how) will give arp replies for 10.3.3.0/27 !!!
I question why you will give ARP replies. That implies that clients will also be part of the 10.3.3.0/27* network. 


I have 2 ways of achieving this:
1. Create all 126 IPs 10.3.3.1 - 10.3.3.126 as alias IPs on eno1. I want to avoid it. 

I don't think that's going to work the way (I think) you are wanting.
Remember, ARP is for working /within/ a layer 2 broadcast domain. Meaning that the clients connecting to the 10.3.3.0/27* will also be in the 10.3.3.0/27* network. As such, using all 126 of the usable IPs is going to mean that there's no IP(s) available for client use.
2. Use proxy arp for entire subnet 10.3.3.0/25 on eno1 but this require having atleast one IP from this subnet to be created as IP alias on eno1, say 10.3.3.1/25.
It's been a while since I've used Proxy ARP, but I don't remember that being a requirement. In face, I think doing that will cause problems.
However, my concern is that this 10.3.3.1, as it has been assigned to eno1,may be used by mistake to listen for any service, etc. or ping, etc. which otherwise I would have to control using iptables rule set. I totally want to avoid it. 

Fair.
I think you're more likely going to need to assign a 10.3.3.0/27* IP to an interface, usually the interface connected to the network you are wanting to Proxy ARP to.
Even if you assign the IP to a dummy (loopback) interface and use DNAT, you are still going to have the potential binding problem.
So, my query is how to do proxy arp for 10.3.3.0/25 on eno1 without assigning 10.3.3.1/25 to eno1???
Why are you /not/ using routing? Give the clients on the eno1 network segment a route to the 10.3.3.0/27* network via the IP assigned to eno1**.
* You have said 10.3.3.0/25 and 10.3.3.0/27. You also make reference to 126 (128) IPs. I don't know which it is. It probably doesn't matter. But it would help to be consistent.
** 10.1.1.0/24 is the IP reserved for the network and probably not the IP that will be assigned to eno1. The same concept applies to eno2. 



--
Grant. . . .
unix || die

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux