Mike Benoit wrote: > Maybe I'm misinformed, will a setup such as this even work? > > I had the machine strangely plugged in to the network when I did my > testing, so its quite possible that it was using the internal network. Even > though the test client had an external IP from which I was testing. But > will this work from the external interface? > > My understanding is that the firewall will reply to arp requests for each > (30) external IP address we have with its own MAC address, thus tricking > computers on the internet in to sending packets destined for any of our > external IPs to our firewall. From there the firewall can route the packets > to each client behind it with little difficulty? Note that: 1. The firewall's routing tables must be correct with regard to the destination IP address. 2. The source and destination must be on opposite sides of the firewall in order for the firewall to be able to do anything about it. > Does this sound plausible to you? Or do you know of a better way to setup a > firewall that wont cause problems with such applications like netmeeting? > Thanks. Also note that you can usually[1] do without proxy-ARP; it just means that you have to propagate more complex routing information. [1] but not if you have a host whose routing table can't be changed (e.g. an ISP-supplied router). -- Glynn Clements <glynn@sensei.co.uk> - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
