I’m trying to do some (admittedly complex) arp setup. It seems like recent kernels do not support what the “arp” command line tool does. :-(

The setup i have is the following:

internal network using 10.0.0.0/24 external network using 10.0.1.0/24 DMZ using the external networks ip.

A firewall box is connected to all three networks, using IPs .1

proxy-arp is enabled on the firewall box, and a box in the DMZ is reachable just fine (so apparently proxy-arp works and forwarding does so, too)

I’d like to masquerade 10.0.1.2 to 10.0.0.2 - this works fine when i do “ip add addr 10.0.0.2 dev ethEXT”. I’d like to do it without.

For this i need either teach my outside router the ip of my firewall as gateway (which i cannot) - or i need to send ARP replies for the IP.

This works fine using proxy arp, as long as this IP is actually used by a box on the inner network or DMZ. Unfortunately, since i masquerade the IP, it doesn’t work.

The arp manpage state:

arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub

arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub

So i should be able to do

arp -i ethEXT -Ds 10.0.1.2 ethEXT pub

Well, this doesn’t work. In my kernel - probably any iproute2 enabled kernel - this creates the following entry in my arp table:

IP address       HW type     Flags       HW address            Mask     Device
10.0.0.64        0x1         0xc         00:00:00:00:00:00     *        eth0

i get the same result when i try giving my own MAC explicitely.

As far as i can tell, any iproute2 enabled kernel will NOT support arbitrary arp “publish” entries. All you can do is adding arp_proxy entries.

If you know a solution apart from running an userspace arp daemon, please tell me. Until then i will stick with adding a second IP to my external if.