Solved How to route an IP alias onwards? (aka "Proxy ARP")

PMc · Dec 23, 2020

Situation: I have an alias IP.

When data is sent to that IP from remote, the LAN gateway sends an ARP, Request who-has for it, and as long as my interface has this alias IP configured, there will be a permanent entry in arp, and data is received.
Then, as this alias IP is configured on the interface, the packet will be delivered locally.

Problem: I don't want this. I want these packets to be gatewayed; I want them to enter the routing table and be transported somewhere onwards.
The proper way to achieve this would probably be, to configure the routing table in the LAN router so that it does not search for a final destination via ARP, but considers my machine as the next-hop router for that IP.

Suppose I cannot do this. Are there any tricks within FreeBSD to achieve the desired result?
That would be, have an ARP response created to tell the LAN router that it can put these packets onto my interface, but then have FreeBSD not try to deliver the packet locally, but instead consult the local routing table and find a next hop.

VladiBG · Dec 23, 2020

Depends of your network topology. Can you draw your network including your subnets?

note: you can use draw.io

Jose · Dec 23, 2020

There's no way to bypass ARP if the alias IP is in the same subnet as the other IP address. The ARP lookups happen on every machine in that subnet. There's no routing for same-subnet IPs.

I think you should be able to use pf(4) rdr rules to achieve what you want, but I believe you're an IPFW user.

PMc · Dec 23, 2020

Jose said:
There's no way to bypass ARP if the alias IP is in the same subnet as the other IP address. The ARP lookups happen on every machine in that subnet. There's no routing for same-subnet IPs.

Ups, not really. If the primary IP and the alias IP would be in the same subnet, then it would all be perfect, there would be no problem at all. Because then I could just do:
arp -s <alias-IP> <interface-mac> pub
And that would do exactly what I want.

But they are not in the same subnet - well, at least not in a sensible way. (In fact I have no idea what the subnet is supposed to be. The provider says it is 0xffffffff - which is obviousely crap for ethernet.)
And one cannot add a static arp entry that is located in a subnet that one does not have.

Jose said:
I think you should be able to use pf(4) rdr rules to achieve what you want, but I believe you're an IPFW user.

Redirect, I see:
The packet is redirected to another destination and possibly a different port. That is 'forward' with ipfw.
This is exactly what I want to do. But, to forward the packet to another destination, it must at first be outgoing at all! It must be routed onwards (instead of being locally delivered).
And that is what I want to achieve!

An addresses that is configured onto an interface (with something like ifconfig igb0 inet 95.96.97.98 ...) is considered to be local to this machine, it cannot normally be forwarded or rerouted, because it will not be routed at all - it is already at it's destination.

(One could probably grab an incoming packet in the firewall rules, and then force it to become outgoing rightaway. But I'm not sure if the IP stack would like that.)

PMc · Dec 23, 2020

VladiBG said:
Depends of your network topology. Can you draw your network including your subnets?

*laugh* There is no network topology. There is one machine, with one interface, and one IP address, and I know nothing about the network it is attached to. The machine is supposed to configure itself with DHCP (but that won't happen, not with me).

And then there is an alias IP address (or more than one). And we can use that alias IP as an alias and put on the interface (and then use it for an IP-based virtual host web server), or we can use it as the IP address for some bhyve virtual instance or such.

But I do not want to do any of this. Instead, I want to grab that second IP address and route it into some tun device for openvpn, or something like that - and then move it to some other place in the galaxy where I can make better use of it.

Jose · Dec 23, 2020

PMc said:
But they are not in the same subnet - well, at least not in a sensible way. (In fact I have no idea what the subnet is supposed to be. The provider says it is 0xffffffff - which is obviousely crap for ethernet.)

Subnets work at the IP layer, not at the physical (ethernet) layer. Setting your subnet to 0xffffffff disables ARP and forces any communication over that IP to be forwarded to the default router. Is it a PPTP link?

PMc said:
Redirect, I see:
The packet is redirected to another destination and possibly a different port. That is 'forward' with ipfw.
This is exactly what I want to do. But, to forward the packet to another destination, it must at first be outgoing at all! It must be routed onwards

This is not the case all in Pf. The rdr rules apply to incoming packets. See this example from the pf.conf(5) page

Code:

rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd

That redirects any packet traversing that interface from any address to any address to port 25. Omit the "port smtp" part, and that rule will redirect all packets. I think what you want would be expressed in pf.conf(5) like this:

Code:

rdr on $some_if from any to $alias_ip -> $some_other_ip

No idea how to achieve this in IPFW.

PMc · Dec 23, 2020

Jose said:
Subnets work at the IP layer, not at the physical (ethernet) layer. Setting your subnet to 0xffffffff disables ARP and forces any communication over that IP to be forwarded to the default router. Is it a PPTP link?

No! I did it the ugly way now - look at that netmask:

Code:

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
     options=a10039<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWFILTER,RXCSUM_IPV6>
        ether 00:08:a2:0c:13:01
        inet xx.xx.xx.xx netmask 0x80000000 broadcast 127.255.255.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>

So now I have half the Internet in my subnet! (And consequentially I can arp half the Internet!)
And now look what that brave router in my network does:

Code:

# arp -a
? (45.129.33.45) at 00:c8:8b:e2:d6:87 on igb0 expires in 1028 seconds [ethernet]
? (45.129.33.172) at 00:c8:8b:e2:d6:87 on igb0 expires in 865 seconds [ethernet]
? (45.129.33.15) at 00:c8:8b:e2:d6:87 on igb0 expires in 1075 seconds [ethernet]
? (91.193.117.45) at 00:c8:8b:e2:d6:87 on igb0 expires in 967 seconds [ethernet]
? (45.155.205.25) at 00:c8:8b:e2:d6:87 on igb0 expires in 855 seconds [ethernet]
? (45.155.205.24) at 00:c8:8b:e2:d6:87 on igb0 expires in 881 seconds [ethernet]
? (45.129.33.174) at 00:c8:8b:e2:d6:87 on igb0 expires in 860 seconds [ethernet]
? (45.129.33.168) at 00:c8:8b:e2:d6:87 on igb0 expires in 1087 seconds [ethernet]
? (45.129.33.171) at 00:c8:8b:e2:d6:87 on igb0 expires in 854 seconds [ethernet]
? (45.129.33.170) at 00:c8:8b:e2:d6:87 on igb0 expires in 1173 seconds [ethernet]
...

It gives me back thousands of arp entries, for half the Internet, and all pointing to the router itself - and so it all works!

Now I want to do exactly the same! I want FreeBSD to give back arp replies not only for the actually configured linklocal IPs, but also for everything that it can potentially route to somewhere!
How do I activate that?

VladiBG · Dec 24, 2020

Use (bi)NAT.

PMc · Dec 24, 2020

I got it - this one does the magic trick:
sysctl net.link.ether.inet.proxyall=1

(This provides arp responses for non-linklocal IPaddrs, as long as they are present somewhere in the routing table)

P.S:
If I would have rightaway known how the thing is properly named which I did experience lacking, then it probably would have been easier:

Proxy ARP - Wikipedia

en.wikipedia.org

And also:

Code:

# grep arpproxy /etc/defaults/rc.conf
arpproxy_all="NO"               # replaces obsolete kernel option ARP_PROXYALL.