arp-proxy

[Jon Otterholm]

OK

Scenario#1:
-I have a range of ip's, for example 215.10.10.0 - 215.10.10.255.
-I want to distrubute theese ip's to my customers via DHCP.
-They are all atached to me via a VLAN-trunk on a unique VID
-I have 200+ customers.

If I was to subnet these addresses so that all the sustomers would get
their own IF (with an IP) in my router and their own IP I could create a
bunch of /30-nets but each customer would take up 4 IP's (net, G/W,
CustomerIP, Broadcast) - and that is a big vaste of IP's in my opinion.

If I instead could create a pseudo bridge with a "mother if" acting as
gateway, distrute IP's via DHCP (ISC?) I could reduce the number of IP's
and administration when adding new customers.

Anyone with a souloution or revelation?

/Jon



On Thu, 2005-11-17 at 15:23 +0000, Brian Candler wrote:
> On Thu, Nov 17, 2005 at 04:06:03PM +0100, Jon Otterholm wrote:
> > Not a big fan of Linux though. I will have to wait for this to be ported
> > to BSD. Anyone with info if this is being done?
> ...
> > > [1] http://www.sjdjweis.com/linux/proxyarp/
> 
> You can do proxyarp like that with FreeBSD now. However you can't assign the
> same range of IPs to multiple interfaces, for obvious reasons.
> 
> I think the way you'll have to do it is to lie to your customers about the
> subnetting. For example, tell all your customers that they need a /16
> (255.255.0.0 netmask). Then you can actually configure:
> 
> ifconfig vlan0 192.168.0.1/28
> ifconfig vlan1 192.168.0.17/28
> ifconfig vlan2 192.168.0.33/28
> ...
> ifconfig vlan4095 192.168.255.249/28
> 
> Now, the customer on vlan0 can use 192.168.0.2 to 192.168.0.14 with a /16
> netmask. The customer on vlan1 can use 192.168.18 to 192.168.30 with a /16
> netmask, and so on.
> 
> When the FreeBSD machine sends a packet to the customer, that's fine. It
> knows which vlan interface to use, and hence ARPs for the customer down that
> interface, based on the fact that each customer is within their own /28
> range.
> 
> When the customer tries to send to another customer, you run choparp or a
> similar program so that if they ARP for 192.168.X.X the FreeBSD machine
> always responds with its own MAC address.
> 
> However, I see virtually no benefit in going down this route. The customer
> might as well just set up a /28 netmask and point defaultroute at the
> relevant FreeBSD IP address (192.168.0.1 or 192.168.0.17 or ...), and then
> you do *proper* routing.
> 
> After all, even with proxyARP, they will still see your router as an
> IP-level "hop" (it decrements TTL). And non-IP packets and broadcasts won't
> be forwarded between the subnets. Furthermore, if a customer decides to
> configure an IP address outside of their 'allowed' range, it won't work -
> and it will be hard to debug, as the FreeBSD box and the wrongly-configured
> box will *both* respond to the same ARP request, and so sometimes one will
> win and sometimes the other will win.
> 
> So, I really don't think you want to do this :-)
> 
> Regards,
> 
> Brian.