Bug 21826

Summary: ARP proxy feature lacks documentation
Product: Documentation Reporter: Bernd Luevelsmeyer <bdluevel>
Component: Books & ArticlesAssignee: Bruce M Simpson <bms>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Bernd Luevelsmeyer 2000-10-07 22:40:00 UTC 
Wanting to set up an "arp proxy", I remembered to have seen an entry
"arpproxy_all" in /etc/defaults/rc.conf. I couldn't find how to use
it though, all I found was "If set to YES then enable global proxy ARP"
in rc.conf(5). Looking for the sysctl variable
"net.link.ether.inet.proxyall" didn't reveal much either, nor did
reading about related topics such as arp(8), bridge(4) and others.
Experimenting with various combinations of "arp -s" and gateway
settings was not successfull.
As a consequence, I'm sure an ARP proxy can be set up somehow on
FreeBSD but I fail to find out how it's done.

Fix: 

I request that the rc.conf manpage be enhanced for "arpproxy_all",
or that a chapter in the handbook be devoted to the arp proxy topic.
How-To-Repeat: Read handbook, FAQ, man pages, and try to find how to make a FreeBSD
machine act as a ARP proxy.
Comment 1 brooks 2000-10-07 23:39:41 UTC 
On Sat, Oct 07, 2000 at 02:32:37PM -0700, bdluevel@heitec.net wrote:
> Wanting to set up an "arp proxy", I remembered to have seen an entry
> "arpproxy_all" in /etc/defaults/rc.conf.

Depending on what you want to accomplish, the choparp port may do what
you want.

-- Brooks

-- 
Any statement of the form "X is the one, true Y" is FALSE.
Comment 2 bernd.luevelsmeyer 2000-10-08 02:07:22 UTC 
Brooks Davis wrote:
> 
> On Sat, Oct 07, 2000 at 02:32:37PM -0700, bdluevel@heitec.net wrote:
> > Wanting to set up an "arp proxy", I remembered to have seen an entry
> > "arpproxy_all" in /etc/defaults/rc.conf.
> 
> Depending on what you want to accomplish, the choparp port may do what
> you want.

Thanks. I tried that already, to no avail. The gateway answered ARP
requests as intended but didn't forward the traffic, just as with 'arp
-s'.
Hence, the documentation issue about the /etc/rc.conf feature
"arpproxy_all" remains.


Greetings,
	Bernd
Comment 3 brooks 2000-10-08 02:26:34 UTC 
On Sun, Oct 08, 2000 at 03:07:22AM +0200, Bernd Luevelsmeyer wrote:
> Thanks. I tried that already, to no avail. The gateway answered ARP
> requests as intended but didn't forward the traffic, just as with 'arp
> -s'.
> Hence, the documentation issue about the /etc/rc.conf feature
> "arpproxy_all" remains.

Err, what do you want to do?  ARP proxying is just to allow a gateway to
lie to hosts who's idea of network layout doesn't match reality.  The
gateway must handle packet forwarding seperatly.

Clearly this needs to be documented, but I'm not sure you're looking for
the right thing.

-- Brooks

-- 
Any statement of the form "X is the one, true Y" is FALSE.
Comment 4 bernd.luevelsmeyer 2000-10-08 04:14:12 UTC 
Brooks Davis wrote:
> 
> On Sun, Oct 08, 2000 at 03:07:22AM +0200, Bernd Luevelsmeyer wrote:
> > Thanks. I tried that already, to no avail. The gateway answered ARP
> > requests as intended but didn't forward the traffic, just as with 'arp
> > -s'.
> > Hence, the documentation issue about the /etc/rc.conf feature
> > "arpproxy_all" remains.
> 
> Err, what do you want to do?  ARP proxying is just to allow a gateway to
> lie to hosts who's idea of network layout doesn't match reality.  The
> gateway must handle packet forwarding seperatly.

Yes, essentially by having several interfaces and setting
"gateway_enable" in /etc/rc.conf .
Initially, I thought I'd get what I want by setting both
"gateway_enable" and "arpproxy_all" to "YES". Then I realized I'd
somehow have to configure which addresses I wanted to have proxied, and
thought I could do that with "arp -s" commands in /etc/rc.local . With
these three simple steps, me thought, I could get things handled quite
easily.


> Clearly this needs to be documented, but I'm not sure you're looking for
> the right thing.

I wanted this thing: The gateway should announce the machines on its
"inner" interface to the "outer" interface, so that, from the outside,
the gateway would appear to have all the inner addresses itself. So, the
gateway would receive all the traffic that was intended for the "inner"
machines, and it should then forward the packages to the really intended
"inner" machines.

The matter is, I couldn't get this to work. I could get the arp proxy
functionality, or the gateway functionality; but not both at the same
time. As soon as the proxy-arping was working, the machine wouldn't
forward the traffic from the outside to the inside any more.
I used 'arp -s' commands to set up the arp proxy. I also tried
'choparp', but only shortly. I concentrated on 'arp -s' and the
"arpproxy_all" variable in /etc/rc.conf , because I wouldn't want to
trust a port if the system has the functionality by itself already.

I assume an arp proxy on a gateway is possible. Since the arp proxy
features of FreeBSD are not documented at all (except for a short
sentence in rc.conf(5)), I assume that I didn't get it right because of
a docu lack. Hence, the PR about lacking documentation.

Please see the thread "arp proxy" in freebsd-questions, where Christ J.
Clark does his best to help me. His "no docs on a sysctl switch!
*SHOCK*" gave me the idea of creating the PR btw..


Greetings,
	Bernd
Comment 5 brooks 2000-10-08 05:56:22 UTC 
On Sun, Oct 08, 2000 at 05:14:12AM +0200, Bernd Luevelsmeyer wrote:
> I wanted this thing: The gateway should announce the machines on its
> "inner" interface to the "outer" interface, so that, from the outside,
> the gateway would appear to have all the inner addresses itself. So, the
> gateway would receive all the traffic that was intended for the "inner"
> machines, and it should then forward the packages to the really intended
> "inner" machines.

I've got a version of that set up at home.  You can definatly do it
with choparp.  Assuming the addresses you want to proxy are in a block
which could theoreticaly be subnetted (i.e. properly aligned and sized)
then you can do this fairly easily.  I've got a setup where I've got 16
IPs within a /24 subnet from my ISP.  I simply configured my box with
the outside interface set up like normal on the /24 net and the inside
interface on the /28 net consisting of my IP addresses.  I then use
choparp to proxy the entire /28 subnet on the outside interface.  With
forwarding enabled my other hosts think they are on a /28 subnet and
everything just works.

> Please see the thread "arp proxy" in freebsd-questions, where Christ J.
> Clark does his best to help me. His "no docs on a sysctl switch!
> *SHOCK*" gave me the idea of creating the PR btw..

I don't read -questions.  My pain tolerance isn't that high. ;-)  I did
dig your message up on Geo Crawler and it looks like your situation is
virtualy identical to mine so choparp should do it.  If you're addresses
aren't aligned, then you're may have to do some weird things, but it
should be possiable to make it work.

-- Brooks

-- 
Any statement of the form "X is the one, true Y" is FALSE.
Comment 6 ru freebsd_committer freebsd_triage 2001-06-26 09:40:55 UTC 
Responsible Changed
From-To: freebsd-doc->wollman

Garrett, please document your changes in if_ether.c,v 1.4.
Comment 7 Bruce M Simpson freebsd_committer freebsd_triage 2004-06-16 07:14:25 UTC 
Responsible Changed
From-To: wollman->bms

I'll take this
Comment 8 Bruce M Simpson freebsd_committer freebsd_triage 2004-06-16 07:16:34 UTC 
State Changed
From-To: open->patched

An appropriate fix has been committed to HEAD.
Comment 9 Matteo Riondato freebsd_committer freebsd_triage 2005-08-16 21:09:41 UTC 
State Changed
From-To: patched->closed

Fixed and MFC'ed