An "arp ... pub" replacement?
I'm looking for advice on best practice for setting up a Fedora / CentOS firewall in the following situation: LAN (10.0.0.0/24) | | | (10.0.0.1) Firewall | (198.51.100.2/27) | | (198.51.100.1/27) ISP's Router | | | Internet In addition to 198.51.100.1 and 192.51.100.2, the ISP is providing 28 extra public IPs (192.51.100.3-30), and I want to the firewall to be able to DNAT those IPs to internal machines, which means it needs to answer ARP for them. The router is routing all of the public IPs directly to its internal NIC. In an ideal world, we'd just reconfigure the router so that the IPs are routed via the firewall rather than being directly connected. However, I'm finding that for managed routers, ISPs are increasingly unwilling to set up custom routing. The available options seem to be: 1. Add aliases for all of the addresses onto the internet NIC of the firewall. You used to be able to create an /etc/sysconfig/network-scripts/ifcfg-eth0-range0 file with the address range in it and have the network scripts automatically add the aliases. Unfortunately NetworkManager no longer seems to support this. Also this feels quite messy because you end up with a lot of addresses attached to the NIC, and strictly speaking those addresses don't really belong to the firewall since they are intended to be forwarded through to internal machines. 2. Route 198.51.100.0/27 to a dummy NIC and enable proxy ARP on the internet NIC. Proxy ARP is a fairly blunt tool and will cause the firewall to answer ARP for any address, not just that subnet. 3. The only thing the firewall actually needs to do with these addresses is answer ARP requests for them. It used to be possible to use the arp command to set this up with something like: arp -i eth0 -Ds 198.51.100.0 eth0 netmask 255.255.255.24 pub This method is documented in TLDP, but the arp command is long deprecated in favour of "ip neigh" which doesn't appear to support doing this. Can anyone advise whether any "best practice" for this kind of setup exists? Thanks. -- - Steve ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: An "arp ... pub" replacement?
On 27/10/2020 17:36, Roberto Ragusa wrote: Maybe your problem is just in how to achieve this with NetworkManager, which is probably not the right tool for these "non desktop" setups. I must admit that I don't have a lot of experience with NetworkManager - I've been clinging onto the old network scripts. :) RHEL/CentOS, which are really "non-desktop" distros, are pretty much moving everything onto NetworkManager, so I think that'll be the way for everything soon. I vaguely recall hearing that the network-scripts package was going away entirely in RHEL 9, but I'm not sure where I heard that so might be making that up. In any case, since it looks like NetworkManager will be the future, I'm trying to get my head around it a bit more. With good old ifcfg scripts you do not even need aliases anymore, I achieve a similar configuration through: IPADDR=x.x.x.2 NETMASK=255.255.255.254 (this is to catch the router at x.x.x.1, your correct mask is another possible option here) IPADDR0=x.x.x.3 NETMASK0=255.255.255.255 IPADDR1=x.x.x.4 NETMASK1=255.255.255.255 ...and so on (for IPV6 you would need IPV6ADDR and a single line with IPV6ADDR_SECONDARIES). Well, you still end up with numerous addresses attached to the NIC itself. It's not *too* bad with IPv4 since you're probably dealing with only a few tens or hundreds of addresses in a subnet. I can't imagine it working at all for an IPv6 /64 though. This solution certainly works (for the IPv4 case), it just feels like there should be a better way of saying "answer ARP / neighbour discovery for anything in this whole network", rather than having attach each individual IP address to the NIC. -- - Steve ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: An "arp ... pub" replacement?
On 28/10/2020 00:35, Tim via users wrote: I'm curious how they expected you to use their extra IPs if they won't let their router be configured for them. I assume the expectation is for any equipment that needs a public IP to be plugged directly into the router's layer 2 network. I'm not seeing this with one specific ISP, it is the default configuration for new internet connections from almost any ISP, and increasingly I'm finding the effort needed to get it changed ranges from "really quite inconvenient" to "never gonna happen". Its obviously not an issue where the firewall itself can be a PPPoE endpoint, or where the CPE is user-configurable. But connections terminated on CPE that only the ISP can manage seem to be very common these days. -- - Steve ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
