Can I use proxy-arp and NAT to route an "alien" computer to the Internet?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can I use proxy-arp and NAT to route an "alien" computer to the Internet?
I want to use a Linux box to bridge 2 etherogenous networks.
Network 1 (eth0): The Internet
Network 2 (eth1): An Ethernet segment where everybody could plug his computer. Don't even think of subnets...
I want to allow computers connected to Network 2 to initiate requests to the Internet (browsing...).
Of course, I can't figure out what is the IP address of a computer plugged on Network 2. If that computer is configured to use DHCP, I can provide it with all the parameters to route to the Network 1. If that computer uses a static IP address, I imagine to use proxy-arp to answer to that computer the MAC address of the Linux box, as its gateway. Then, I could use NAT to let him access the Internet.
Can I consider such a scenario? What is needed to accomplish this?
=====================================================
I have already set:
echo "1" > /proc/sys/net/ipv4/conf/eth1/proxy_arp
arp -i eth1 -s 172.16.14.1 00:E0:4C:B0:1B:A5 pub
where:
IP_eth1=172.16.14.1
MAC_eth1=00:E0:4C:B0:1B:A5
=====================================================
You want to allow a guest host to be able dictate to your network what IP it is to be known as? Do not do this, it messes with any sensible security. Require those computers to use DHCP when they want to use your network... their users will just have to make do. (Most computers can store information needed to use a variety of networks.)
Thank you for your attention.
I manage a LAN. Always I have guests connecting into this LAN. The guest's notebook may come with many different kinds of network configurations and I do not want to setup anything on these guest's notebooks and I do not have much spare time for.
I tested a non-free hotspot solution called MikroTik and this solution called RouterOS was perfect. As you can read at the link provided... "HotSpot - HotSpot Gateway with RADIUS authentication and accounting; true Plug-and-Play access for network users; data rate limitation; differentiated firewall; traffic quota; real-time status information; walled-garden; customized HTML login pages; iPass support; SSL secure authentication; advertisement support"
But my company wants me an open source solution.
Then I started to study ARP/ArpProxy... and I guess that ProxyARP may help me a bit. I really do not know how but I guess it is possible to implement with some open source solution.
Well Mr Simon Bridge... this LAN is used only for guests to access internet. Just a free offered service to the guests.
I manage a LAN. Always I have guests connecting into this LAN. The guest's notebook may come with many different kinds of network configurations and I do not want to setup anything on these guest's notebooks and I do not have much spare time for.
So do I... and many other people. You post a notice telling the users how to access the LAN.
Fine that you found a solution you like and good you posted the solution here. But beware... these things are murder to secure.
So do I... and many other people. You post a notice telling the users how to access the LAN.
Fine that you found a solution you like and good you posted the solution here. But beware... these things are murder to secure.
Yes. I found a solution but for test purpose only (demo/trial/non-GNU).
I tested this solution to check that this is feasible... and it is.
The question now is... how to implement this using open-source way?
Mr Bridge... please, what kind of unsecurity may this solution provide?
It only provides access to the internet for the guests with the feature "plug&play network access". I can not understand how it can compromise security.
The possible holes could be:
1) one guest attacks another guest?
2) one guest attacks the internet?
3) one guest attacks the internal lan? (dropping down the internal lan)
But the 3 possibilities above may exist even in DHCP only based solution.
I understand that internal cabled LAN may be dropped down easily by any guest.
You missed the increased exposure to spoofing and sniffing from the internet. This because of the wide range of network IP's available to your guest hosts.
I'm not saying you cannot protect yourself, only that it is harder. In general, the more convenient it is, the less secure it is.
People who use laptops are used to changing network settings for where they are.
I guess that I need:
1) be able to "capture" all possible default gateways from the guests (maybe using proxyarp);
2) snat 1:1 to my network addresses;
3) using my network addresses route the packets to the internet;
But... I am...trying...
... and trying... and googling... and no result.
Is that a euphanism for uPnP or DHCP?
The former will allow a host to open any ports on the firewall they want to without your control. It's the first thing to disable on a consumer router.
The latter was already suggested and will be used by anyone with a home NAT router or a cable modem. If a guest has a static address on their laptop, they will also have the wrong gateway and nameserver IPs as well.
==> it means:
a) if the guest has its dhcp client enabled: perfect. As usual and works;
b) if the guest has static network configuration and these ip addresses (ip/mask/gw/dns) are completely different from those provided by the local lan dhcp server: perfect. It is amazing but the guest accesses the internet perfectly.
summary:
It does not matter the ip values in the guest's laptop. This router allows the guest browse the internet. The exception is: The browser must connect with no-proxy, i.e, directly mode must be set.
I am wanting to implement similar solution (but free/opensource) as this mikrotik routerOS(must pay).
You could look at a linux router oriented distribution. Also look for Linux brouter howto's.
It sounds like your device will need to take the MAC address of the guests computer, and dynamically change the NAT rules and the routing table based on the interface's IP setting.
Sorry for being so stubborn, but anyone who can configure their computer for static addressing will know how to switch to dhcp. You will see far more problems when Window's XP default's to ieee802.3 Authentication on the interface, and that is something that "Plug & Play networking" can't handle for them.
This project at sourceforge <ippnp> looks me like perfect... but no files to download.
I will follow your advice... looking for brouter.
As a reference of what I am looking for... besides mikrotik solution (read at #Getting Address item)... here is another one called nomadix and read about DAT (Dynamic Address Translation).
There are two things I wonder about from your supplied links.
A) What if two users use the same static IP address.
B) What about the user who has their wireless set to channel 10 for example, but your wireless AP runs on channel 11.
This post got me thinking. Networks in conventions and hotels are notorious for being insecure. Most wired networks in motels still use hubs instead of switches for example. IMHO better security may be a better selling point than PnP networking. Using DHCP should be easy enough for 99.9% of users. Being protected against snooping by other guests, or war drivers would be more important to more and more security minded users. Simple and secure are normally inversely proportional, but ironically a radius setup is easier to use for the end user than using pre-shared keys. Every user is assigned a unique key. But getting to that point would require the user to change their authentication settings.
There are two things I wonder about from your supplied links.
A) What if two users use the same static IP address.
B) What about the user who has their wireless set to channel 10 for example, but your wireless AP runs on channel 11.
Hello jschiwal,
May we divide this topic into 02 arenas?
a) Feasibility;
b) Security;
===================================================================================
Well, using few words... may we start with feasibility?
I am sure that this solution provides a lot of benefits in terms of flexibity. But let me say that this realm is limited on the local ethernet segment where usual "arp" flows.
Regarding security issue, this is an arena where we can talk about static data security, flowing data security, physical laptop security (against thieves)... but focusing on data being exchanged we have vpn as usual solution for those needed.
Regarding your question above I understand that the very basic information on a local ethernet network is driven by MAC address instead of IP address... looking for instance at OSI level.
So if 02 stations have the same IP address... I understand that these 2 guys are different if we "see" the pair (MAC,IPaddress)... assuming that MAC addresses are always different each other.
So, the next step is to NAT one-to-one these clients from (MAC,IPaddress) to some NATed address using a virtual tunnel interface. This virtual tunnel interface is some virtual middle-point used just to "concentrate" the packets and to associate an IP address (the NATed 1:1 addresses). So at this virtual interface we would have the pair (MAC,IPaddress) translated to (NATed address). And these NATed address could be from some network_number/mask that network admin may define.
Then at this virtual interface we would have packets with NATed addresses that can be routed and forwarded to eth0 (internet interface) using iptables rules to implement firewalling rules.
Well... what I need now is a routine/code that works as function like: f(MAC,IPaddress)=NATed address... and a virtual interface.
This is what I am looking for now.
====================================================================================
Also we have to have in mind that bridge is like a "physical cable"... it does not matter about IP addresses. So I understand that bridge-utils and ebtables can not help me. Please correct me I am wrong.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.