Pulling my hair out with routing and proxy arp

jkugler · October 22, 2009, 5:14am

So, I’m converting firewall rules from Shorewall, and am trying to figure out the proxy arp thing, despite lack of documentation. I think I finally have the settings right, but I still can reach the servers in my DMZ from either my LAN or WAN interfaces. I can, however, arp-ping the hosts in the DMZ. Just can’t get any other kind of connections.

I’ll post relevent parts of my firewall script. If you want to see the whole thing, let me know

If it was just an issue of not being able to see something from the outside, I would say it might be an ARP caching issue, but I can’t get to the server in the DMZ from the indside either. For reference, I’ll include some other stuff (/ip route print, /ip address print and /interface ethernet print) below the config.

Any pointers would be great! Thanks!

# Clear all filter rules
:foreach i in=[/ip firewall filter find] do={/ip firewall filter remove numbers=$i}
# Clear all nat rules
:foreach i in=[/ip firewall nat find] do={/ip firewall nat remove numbers=$i}
# Clear all route rules
# 0 ADS  0.0.0.0/0                          192.168.100.1      0
# Probably don't want to do this, not sure how to do what I want
#:foreach i in=[/ip route find static] do={/ip route remove numbers=$i}
/ip address remove numbers=3,4,5,6,7,8,9

/global name=wanip value=XXX.XXX.62.172
/global name=wannet value="XXX.XXX.62.172/32"

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
# Want existing connections to pass through OK
add action=accept chain=input connection-state=established in-interface=wan comment="default configuration"
add action=accept chain=input connection-state=related in-interface=wan comment="default configuration"
add action=accept chain=forward connection-state=established in-interface=wan comment="default configuration"
add action=accept chain=forward connection-state=related in-interface=wan comment="default configuration"

# Proxy ARP rules
# We want the external interface to proxy arp
/interface ethernet set wan arp=proxy-arp

/ip address
# This will fail if already set, but that's OK
add interface=dmz address=192.168.50.1 network=192.168.50.0 netmask=255.255.255.0
add address=$wannet network=XXX.XXX.62.156 interface=dmz broadcast=0.0.0.0 comment="Europa"

/ip firewall filter
# Rules

# Europa
add action=accept chain=forward out-interface-dmz dst-address=XXX.XXX.62.156

# NAT rules
/ip firewall nat
# Masquerade everything from lan to wan
add action=masquerade chain=srcnat out-interface=wan comment="default configuration"

/ip firewall filter
# Policy (i.e default rules)
add action=accept chain=input in-interface=lan comment="ACCEPT lan fw"
add action=accept chain=output out-interface=wan comment="ACCEPT fw to net"
add action=accept chain=output out-interface=dmz comment="ACCEPT fw to dmz"
add action=accept chain=forward in-interface=lan out-interface=wan comment "ACCEPT lan to wan"
add action=accept chain=forward in-interface=lan out-interface=dmz comment="ACCEPT lan to dmz"
add action=accept chain=forward in-interface=dmz out-interface=wan comment="ACCEPT dmz to wan"
add action=drop chain=forward in-interface=wan comment="Drop all from wan"
add action=drop chain=input in-interface=wan comment="Drop all from wan"
add action=reject chain=input comment="if nothing else matches, reject"

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          XXX.XXX.0.1        1
 1 ADC  192.168.50.0/24    192.168.50.1    dmz                0
 2 ADC  192.168.100.0/24   192.168.100.1   lan                0
 3 ADC  XXX.XXX.0.0/18     XXX.XXX.62.172  wan                0
 4 ADC  XXX.XXX.62.156/32  XXX.XXX.62.172  dmz                0

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          206.174.0.1        1
 1 ADC  192.168.50.0/24    192.168.50.1    dmz                0
 2 ADC  192.168.100.0/24   192.168.100.1   lan                0
 3 ADC  XXX.XXX.0.0/18     XXX.XXX.62.172  wan                0
 4 ADC  XXX.XXX.62.156/32  XXX.XXX.62.172  dmz                0

/interface ethernet print
Flags: X - disabled, R - running, S - slave
 #    NAME                      MTU   MAC-ADDRESS       ARP        MASTER-PORT                     SWITCH
 0 R  wan                       1500  00:0C:42:5A:03:22 proxy-arp
 1 R  lan                       1500  00:0C:42:5A:03:23 enabled    none                            switch1
 2 R  dmz                       1500  00:0C:42:5A:03:24 enabled    none                            switch1
 3 X  ether4                    1500  00:0C:42:5A:03:25 enabled    none                            switch1
 4 X  ether5                    1500  00:0C:42:5A:03:26 enabled    none                            switch1