ARP manpage inaccurate?
I’m trying to do some (admittedly complex) arp setup. It seems like recent kernels do not support what the “arp” command line tool does. :-(
The setup i have is the following:
internal network using 10.0.0.0/24 external network using 10.0.1.0/24 DMZ using the external networks ip.
A firewall box is connected to all three networks, using IPs .1
proxy-arp is enabled on the firewall box, and a box in the DMZ is reachable just fine (so apparently proxy-arp works and forwarding does so, too)
I’d like to masquerade 10.0.1.2 to 10.0.0.2 - this works fine when i do “ip add addr 10.0.0.2 dev ethEXT”. I’d like to do it without.
For this i need either teach my outside router the ip of my firewall as gateway (which i cannot) - or i need to send ARP replies for the IP.
This works fine using proxy arp, as long as this IP is actually used by a box on the inner network or DMZ. Unfortunately, since i masquerade the IP, it doesn’t work.
The arp manpage state:
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
So i should be able to do
arp -i ethEXT -Ds 10.0.1.2 ethEXT pub
Well, this doesn’t work. In my kernel - probably any iproute2 enabled kernel - this creates the following entry in my arp table:
IP address HW type Flags HW address Mask Device
10.0.0.64 0x1 0xc 00:00:00:00:00:00 * eth0
i get the same result when i try giving my own MAC explicitely.
As far as i can tell, any iproute2 enabled kernel will NOT support arbitrary arp “publish” entries. All you can do is adding arp_proxy entries.
If you know a solution apart from running an userspace arp daemon, please tell me. Until then i will stick with adding a second IP to my external if.