An "arp ... pub" replacement?

Mon, 26 Oct 2020 10:02:45 -0700
I'm looking for advice on best practice for setting up a Fedora / CentOS firewall in the following situation: 

LAN (10.0.0.0/24)
       |
       |
       | (10.0.0.1)
   Firewall
       | (198.51.100.2/27)
       |
       | (198.51.100.1/27)
 ISP's Router
       |
       |
       |
    Internet



In addition to 198.51.100.1 and 192.51.100.2, the ISP is providing 28 
extra public IPs (192.51.100.3-30), and I want to the firewall to be 
able to DNAT those IPs to internal machines, which means it needs to 
answer ARP for them.



The router is routing all of the public IPs directly to its internal 
NIC.  In an ideal world, we'd just reconfigure the router so that the 
IPs are routed via the firewall rather than being directly connected. 
However, I'm finding that for managed routers, ISPs are increasingly 
unwilling to set up custom routing.



The available options seem to be:


1. Add aliases for all of the addresses onto the internet NIC of the 
firewall.  You used to be able to create an 
/etc/sysconfig/network-scripts/ifcfg-eth0-range0 file with the address 
range in it and have the network scripts automatically add the aliases. 
Unfortunately NetworkManager no longer seems to support this.  Also this 
feels quite messy because you end up with a lot of addresses attached to 
the NIC, and strictly speaking those addresses don't really belong to 
the firewall since they are intended to be forwarded through to internal 
machines.



2. Route 198.51.100.0/27 to a dummy NIC and enable proxy ARP on the 
internet NIC.  Proxy ARP is a fairly blunt tool and will cause the 
firewall to answer ARP for any address, not just that subnet.



3. The only thing the firewall actually needs to do with these addresses 
is answer ARP requests for them.  It used to be possible to use the arp 
command to set this up with something like:

  arp -i eth0 -Ds 198.51.100.0 eth0 netmask 255.255.255.24 pub

This method is documented in TLDP, but the arp command is long 
deprecated in favour of "ip neigh" which doesn't appear to support doing 
this.



Can anyone advise whether any "best practice" for this kind of setup exists?

Thanks.


--
- Steve
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org






















					Reply via email to