ARP Proxy / Proxy ARP?
Posted on May 18, 2007
9 Comments
Network geeks — you out there?
So here’s the poop: I have a handful of servers running services that I’d like to expose to the outside world, but behind a firewall. So I want to create some subdomain names like service.example.com, ws.example.com, issues.example.com, etc. Each resolves to a different IP address in our public address range.
I want one device or firewall to service all these, then pass the traffic along to some internal addresses. I believe the term for this is, depending on who you ask, either Proxy ARP or ARP proxy.
In a nutshell:
A multi-port networking device (e.g. a router) implementing Proxy ARP will respond to ARP requests on one interface as being responsible for addresses of device addresses on another interface. The device can then receive and forward packets addressed to the other devices.
Many (many) moons ago, we used to do this with a Raptor firewall that was dead simple to use. It was our main firewall and it “looked like” a whole host of external addresses. As traffic came in for certain IP’s, it would essentially proxy it for an internal server on an internal IP.
Without the Raptor, we end doing things like using little soho routers out in front of our “main” firewall appliance and dual-addressing the assorted servers. It’s getting messy.
I’m sure there’s gotta be a reasonable way to build either a little linux server or purchase an appliance for this stuff, right? My search terms must be lousy, but I’m not finding any reasonably modern How-Tos or products. Is this easier to do in Linux than I’m aware?
Any ideas?
Tags: ARP, firewall, linux, network, proxy, security
Possibly Related Posts
Comments
9 Responses to “ARP Proxy / Proxy ARP?”
Leave a Reply
Your problem is using private IPs on the servers and then needing NAT to get connectivity to the Internet.
Proxy ARP seems like a kludge.
How about setting up a DMZ segment for all of the servers. Use your public IP addresses for the DMZ. Then simple IP routing will get the packets from outside to the DMZ. Apply appropriate ACLs on your firewall to control inbound/outbound sessions.
Hey pj, thanks for the thoughts!
Rephrased: My problem is having a handful of services on internal servers that would benefit from being exposed. No way in heck do I want to expose one of those servers or all that’s on it!
The DMZ thing could work, especially if I had a lot more budget than a small tech startup tends to have.
But first I’d have to “split” a lot of servers. Can’t say that I’d want my main dev db server or file server in the DMZ, right?
Hmm, I’d also have to buy smarter firewall(s).
While proxy ARP does indeed seem a bit like a kludge, it’d sure make life easier.
Why don’t you just NAT the stuff with a linux firewall using iptables? Or with a m0n0wall firewall…even you should be able to do NATing with m0n0!
Hey Vox - Each “service” or server has its own external IP, dns name (name.example.com) and ports.
The trick with NAT is that several of the services are on port 80. As we use them internally as well as externally… I don’t really want to have to move web services to all sorts of different ports. That’ll be disruptive.
I can just keep using the little soho routers instead (give the external interace of the router the external IP, have the internal subnet added to the apropriate box). But that’s getting messy with all these damned little netgear/linksys/belkin boxes stacking up.
Static, 1-to-1 NAT can be applied like Vox is saying.
m0n0wall is more than capable of having many IP aliases on one network interface and using the 1-to-1 NAT to take care of the network translation.
This allows each of your web servers to remain operating on the standard port 80.
Really? I’m definitely willing to give it a shot. Any suggestions on relevant documentation to help me get my mind around this?
(and thanks for the comment!)
I think I finally understand how 1-to-1 NAT works.
I’m configuring a client’s firewall and it supports that quite nicely. I think that’s the direction I’ll be going.