Proxy arp for non-overlapping subnets on an interface without assigning IP aliases

Proxy arp for non-overlapping subnets on an interface without assigning IP aliases

[Aks Kak]

I have a linux box with 2 interfaces with following IPs
eno1 : 10.1.1.0/24
eno2 : 192.168.2.0/27

I want to use network 10.3.3.0/25 as virtual IPs for 192.168.2.0/25
i.e. I will be doing DNAT using NETMAP target of IPTABLES.

DNAT and NETMAP, etc. is not the issue.

For my requirement to work, main thing is who (or how) will give arp
replies for 10.3.3.0/27 !!!
I have 2 ways of achieving this:
1. Create all 126 IPs 10.3.3.1 - 10.3.3.126 as alias IPs on eno1. I
want to avoid it.
2. Use proxy arp for entire subnet 10.3.3.0/25 on eno1 but this
require having atleast one IP from this subnet to be created as IP
alias on eno1, say 10.3.3.1/25. However, my concern is that this
10.3.3.1, as it has been assigned to eno1,may be used by mistake to
listen for any service, etc. or ping, etc. which otherwise I would
have to control using iptables rule set. I totally want to avoid it.

So, my query is how to do proxy arp for 10.3.3.0/25 on eno1 without
assigning 10.3.3.1/25 to eno1???

Re: Proxy arp for non-overlapping subnets on an interface without assigning IP aliases

[Aks Kak]

Ignore previous one or consider /27 as /25 at two places in previous mail:
***************************************************************************************
I have a linux box with 2 interfaces with following IPs
eno1 : 10.1.1.0/24
eno2 : 192.168.2.0/25

I want to use network 10.3.3.0/25 as virtual IPs for 192.168.2.0/25
i.e. I will be doing DNAT using NETMAP target of IPTABLES.

DNAT and NETMAP, etc. is not the issue.

For my requirement to work, main thing is who (or how) will give arp
replies for 10.3.3.0/25 !!!
I have 2 ways of achieving this:
1. Create all 126 IPs 10.3.3.1 - 10.3.3.126 as alias IPs on eno1. I
want to avoid it.
2. Use proxy arp for entire subnet 10.3.3.0/25 on eno1 but this
require having atleast one IP from this subnet to be created as IP
alias on eno1, say 10.3.3.1/25. However, my concern is that this
10.3.3.1, as it has been assigned to eno1,may be used by mistake to
listen for any service, etc. or ping, etc. which otherwise I would
have to control using iptables rule set. I totally want to avoid it.

So, my query is how to do proxy arp for 10.3.3.0/25 on eno1 without
assigning 10.3.3.1/25 to eno1???

On Sat, Jun 29, 2019 at 7:34 PM Aks Kak <akskak2012@gmail.com> wrote:
>
> I have a linux box with 2 interfaces with following IPs
> eno1 : 10.1.1.0/24
> eno2 : 192.168.2.0/27
>
> I want to use network 10.3.3.0/25 as virtual IPs for 192.168.2.0/25
> i.e. I will be doing DNAT using NETMAP target of IPTABLES.
>
> DNAT and NETMAP, etc. is not the issue.
>
> For my requirement to work, main thing is who (or how) will give arp
> replies for 10.3.3.0/27 !!!
> I have 2 ways of achieving this:
> 1. Create all 126 IPs 10.3.3.1 - 10.3.3.126 as alias IPs on eno1. I
> want to avoid it.
> 2. Use proxy arp for entire subnet 10.3.3.0/25 on eno1 but this
> require having atleast one IP from this subnet to be created as IP
> alias on eno1, say 10.3.3.1/25. However, my concern is that this
> 10.3.3.1, as it has been assigned to eno1,may be used by mistake to
> listen for any service, etc. or ping, etc. which otherwise I would
> have to control using iptables rule set. I totally want to avoid it.
>
> So, my query is how to do proxy arp for 10.3.3.0/25 on eno1 without
> assigning 10.3.3.1/25 to eno1???

Re: Proxy arp for non-overlapping subnets on an interface without assigning IP aliases

[Grant Taylor]

[-- Attachment #1: Type: text/plain, Size: 2582 bytes --]

On 6/29/19 8:05 AM, Aks Kak wrote:
> I have a linux box with 2 interfaces with following IPs
> eno1 : 10.1.1.0/24
> eno2 : 192.168.2.0/27
> 
> I want to use network 10.3.3.0/25 as virtual IPs for 192.168.2.0/25 
> i.e. I will be doing DNAT using NETMAP target of IPTABLES.

Okay.

> DNAT and NETMAP, etc. is not the issue.

Okay.

> For my requirement to work, main thing is who (or how) will give arp 
> replies for 10.3.3.0/27 !!!

I question why you will give ARP replies.  That implies that clients 
will also be part of the 10.3.3.0/27* network.

> I have 2 ways of achieving this:
> 1. Create all 126 IPs 10.3.3.1 - 10.3.3.126 as alias IPs on eno1. I 
> want to avoid it.

I don't think that's going to work the way (I think) you are wanting.

Remember, ARP is for working /within/ a layer 2 broadcast domain. 
Meaning that the clients connecting to the 10.3.3.0/27* will also be in 
the 10.3.3.0/27* network.  As such, using all 126 of the usable IPs is 
going to mean that there's no IP(s) available for client use.

> 2. Use proxy arp for entire subnet 10.3.3.0/25 on eno1 but this require 
> having atleast one IP from this subnet to be created as IP alias on 
> eno1, say 10.3.3.1/25.

It's been a while since I've used Proxy ARP, but I don't remember that 
being a requirement.  In face, I think doing that will cause problems.

> However, my concern is that this 10.3.3.1, as it has been assigned to 
> eno1,may be used by mistake to listen for any service, etc. or ping, 
> etc. which otherwise I would have to control using iptables rule 
> set. I totally want to avoid it.

Fair.

I think you're more likely going to need to assign a 10.3.3.0/27* IP to 
an interface, usually the interface connected to the network you are 
wanting to Proxy ARP to.

Even if you assign the IP to a dummy (loopback) interface and use DNAT, 
you are still going to have the potential binding problem.

> So, my query is how to do proxy arp for 10.3.3.0/25 on eno1 without 
> assigning 10.3.3.1/25 to eno1???

Why are you /not/ using routing?  Give the clients on the eno1 network 
segment a route to the 10.3.3.0/27* network via the IP assigned to eno1**.

* You have said 10.3.3.0/25 and 10.3.3.0/27.  You also make reference to 
126 (128) IPs.  I don't know which it is.  It probably doesn't matter. 
But it would help to be consistent.

** 10.1.1.0/24 is the IP reserved for the network and probably not the 
IP that will be assigned to eno1.  The same concept applies to eno2.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4008 bytes --]

Re: Proxy arp for non-overlapping subnets on an interface without assigning IP aliases

[Aks Kak]

Ignore previous one or consider /27 as /25 at two places in previous mail:
***************************************************************************************
I have a linux box with 2 interfaces with following IPs
eno1 : 10.1.1.0/24
eno2 : 192.168.2.0/25

I want to use network 10.3.3.0/25 as virtual IPs for 192.168.2.0/25
i.e. I will be doing DNAT using NETMAP target of IPTABLES.

DNAT and NETMAP, etc. is not the issue.

For my requirement to work, main thing is who (or how) will give arp
replies for 10.3.3.0/25 !!!
I have 2 ways of achieving this:
1. Create all 126 IPs 10.3.3.1 - 10.3.3.126 as alias IPs on eno1. I
want to avoid it.
2. Use proxy arp for entire subnet 10.3.3.0/25 on eno1 but this
require having atleast one IP from this subnet to be created as IP
alias on eno1, say 10.3.3.1/25. However, my concern is that this
10.3.3.1, as it has been assigned to eno1,may be used by mistake to
listen for any service, etc. or ping, etc. which otherwise I would
have to control using iptables rule set. I totally want to avoid it.

So, my query is how to do proxy arp for 10.3.3.0/25 on eno1 without
assigning 10.3.3.1/25 to eno1???

On Sat, Jun 29, 2019 at 7:35 PM Aks Kak <akskak2012@gmail.com> wrote:
>
> Aks Kak <akskak2012@gmail.com>
>
> 7:34 PM (0 minutes ago)
>
>
> to netdev
> I have a linux box with 2 interfaces with following IPs
> eno1 : 10.1.1.0/24
> eno2 : 192.168.2.0/27
>
> I want to use network 10.3.3.0/25 as virtual IPs for 192.168.2.0/25
> i.e. I will be doing DNAT using NETMAP target of IPTABLES.
>
> DNAT and NETMAP, etc. is not the issue.
>
> For my requirement to work, main thing is who (or how) will give arp
> replies for 10.3.3.0/27 !!!
> I have 2 ways of achieving this:
> 1. Create all 126 IPs 10.3.3.1 - 10.3.3.126 as alias IPs on eno1. I
> want to avoid it.
> 2. Use proxy arp for entire subnet 10.3.3.0/25 on eno1 but this
> require having atleast one IP from this subnet to be created as IP
> alias on eno1, say 10.3.3.1/25. However, my concern is that this
> 10.3.3.1, as it has been assigned to eno1,may be used by mistake to
> listen for any service, etc. or ping, etc. which otherwise I would
> have to control using iptables rule set. I totally want to avoid it.
>
> So, my query is how to do proxy arp for 10.3.3.0/25 on eno1 without
> assigning 10.3.3.1/25 to eno1???

Proxy arp for non-overlapping subnets on an interface without assigning IP aliases

[Aks Kak]

Aks Kak <akskak2012@gmail.com>

7:34 PM (0 minutes ago)


to netdev
I have a linux box with 2 interfaces with following IPs
eno1 : 10.1.1.0/24
eno2 : 192.168.2.0/27

I want to use network 10.3.3.0/25 as virtual IPs for 192.168.2.0/25
i.e. I will be doing DNAT using NETMAP target of IPTABLES.

DNAT and NETMAP, etc. is not the issue.

For my requirement to work, main thing is who (or how) will give arp
replies for 10.3.3.0/27 !!!
I have 2 ways of achieving this:
1. Create all 126 IPs 10.3.3.1 - 10.3.3.126 as alias IPs on eno1. I
want to avoid it.
2. Use proxy arp for entire subnet 10.3.3.0/25 on eno1 but this
require having atleast one IP from this subnet to be created as IP
alias on eno1, say 10.3.3.1/25. However, my concern is that this
10.3.3.1, as it has been assigned to eno1,may be used by mistake to
listen for any service, etc. or ping, etc. which otherwise I would
have to control using iptables rule set. I totally want to avoid it.

So, my query is how to do proxy arp for 10.3.3.0/25 on eno1 without
assigning 10.3.3.1/25 to eno1???