Raven, corporate courtesan
raven at oneeyedcrow.net
Thu Nov 1 15:32:14 EST 2001
Quoth Jeff Dike (Tue, Oct 30, 2001 at 03:14:02PM -0500):
> raven at oneeyedcrow.net said:
> > Basically, it turns on arp proxying if you have the ability to do so
> > compiled into your kernel.
> Yeah, I guessed that much. What I don't know is its exact semantics. Does
> it proxy arp entries on that device out to the other devices on the system?
> Or does it do the reverse and proxy arp entries on the other devices to this
> Or does it do something completely different?
If proxy-arp is turned on for a given interface, then the
machine will respond to arp requests on that interface as if it were
the other device. So, for example:
(proxy-arp on) (no proxy-arp on)
Subnet 0 Subnet 1
Since proxy-arp is on for eth0, which is connected to Subnet 0,
this means that if a machine on Subnet 0 does an ARP request for a
machine on Subnet 1, the firewall will respond to the ARP request with
its own hardware address mapping to the IP on subnet 1. So as far as
the devices on Subnet 0 are concerned, they are on the same layer-2
network as devices on Subnet 1 -- it's transparant to them.
If a machine on Subnet 1 makes an arp request for a machine on
Subnet 0, it will get no response. The machine on Subnet 0 doesn't
recieve the request since it's on a different network, and the firewall
won't answer on behalf of the machine on Subnet 0 because proxy-arp is
turned on. So machines on Subnet 1 don't appear to be on the same
layer-2 network as machines on Subnet 0.
That's what proxy-arp does -- it fakes continuous layer-2
connectivity across a router.
Feel free to ask for further clarification -- layer 2/3
addressing can be confusing.
-- Rafe (http://www.palaceofreason.com), on current events.
"I find it interesting that time bows to cows."
-- Alex, on Indiana refusing to accept Daylight Savings Time
More information about the Techtalk