fewi,
finally got some time to make the setup as I wanted, but its still not working according your advices…
I have all 254 ip addresses set (/32) on the WAN1 interface (and only the .2 (=main IP of my border router itself) with /24 notification.)
I have proxy-arp enabled because that should be the way to go.
And off course I have now also many src-nat rules in the firewall to src-nat local IP’s towards their assigned public IP’s (some indeed have two rules for two different local IP’s src-nat towards only one IP)
Not all IP’s are used up this way, still have some 50 left and these rules are not made in the src-nat and the IP’s on the WAN interface are disabled.
Last rule in filter/NAT is a general rule that just masquerade all traffic going out via this WAN1 and not catched by one of the previous 1:1 or 2:1 src-nat rules.
I had to set all IP’s on the WAN1 interface because otherwise browsing was almost impossible. Sometimes it worked, but very poor and voip/streaming date/games/log-in sessions were timed out.
So, with all users now src-natted to a public IP it looks to work fine.
But according your previous story, the setting of all addresses on the interface was not needed if “proxy-arp” was enabled? But, if I now disable an IP from a certain test PC (while I leave that src-nat rule in place) then after some time that PC looses its connection. Not immediately. Even if all connections from that PC are erased from the conn. tracker, I can still use it for some time.
But then, after some more time (10mins? Didn’t measure) that PC has no more connectivity.
I can only make it work again by enabling the IP again. Immediate after the enabling of the IP for that PC (and where the src-nat rule translates to) the PC gets its connectivity back…
I also had several users complaining before they had a public IP assigned. (So basically they were masqueraded to the border router’s main IP address) that browsing was poor, log-in sessions, skype, voip and streaming data were virtually impossible.
The moment I gave them a src-nat rule with an IP on the WAN1 interface all was fine!
And this all while the WAN1 interface has proxy-arp enabled all the time!
So, this is not so much in line with what you wrote before.
BUT: I have one router in-between that border router of mine and the next box of the ISP.
That router is a rb600 and ether1 that connects to my rb1000 (border router) and ether2 that connects to the ISP cisco box, are in a bridge. Bridge has “use IP firewall” enabled.
All this router does do is filter the traffic for QoS in the QueeTree.
Can it be that actually proxy arp in the rb1000 can’t work because the Cisco box is actually physically not connected to the mac address of the rb1000. It is actually connected to the mac address of the rb600?
My idea was that bridging meant “transparent”, but maybe not for mac level traffic?
(Why do I use the rb600 for the QoS? Well, I could not even make the rb1000 to connect to the Cisco box in the first place. And secondly, since I have also 2 ADSL lines coming in via WAN2 and do client Queues in the rb1000 I wanted to move the QoS outside the rb1000. I have been struggling to get both client simple Queues and the mangle prerouting filter for QoS over three incoming lines with different speeds and also policy routing (some clients only go out the ADSL lines) all in one box. It became too complex to handle and now I have two rb600’s taking care of the QoS for the two different type of WAN connections of the rb1000.
One WAN (WAN1) connects to this Cisco box with symmetric line and one WAN (WAN2), connects to two attached adsl modems.
(The rb600 in-between the rb1000 and the two ADSL lines is doing QoS and the PCC load balancing over the two adsl lines. This rb600 is routed since the adsl modems attached to it do the natting.)
Please tell me your thoughts about this.
rgds
