On Fri Sep 27, 2024 at 5:45 AM CEST, David Gwynne wrote:
>
> we have done this with PVLAN at work. the firewalls are set up with
> promisc ports on the network, and the hosts are all on isolated ports.
> we use a normal subnet on this network, ie, we allocate a /25 (or /24,
> whatever) and set up carp on it, and it works.
>
> the only problem is if you want the hosts to be able to talk to
> each other. in that situation you'll want to steer all the traffic to
> the firewalls.
Yes, I'd like to apply the "normal" firewall rules to this traffic as well.
>
> the way we do that is with proxy arp, at least i think that's what the
> accepted name in the industry is for what we're doing. we basically get
> the firewalls to accept ARP packets from protected clients to protected
> clients and reply to them with their own MAC address. this causes the
> protected clients to send their packets via the firewall instead of
> directly to each other.
>
> i wrote https://github.com/eait-itig/commarp to fiddle with the arp
> packets.
Yes this is an approach I found. Thanks for the code, I'll have a look.
>
> using a /32 on each host with a single shared gateway ip for the
> subnet should work too. the config on the protected host side sounded
> fiddly though, especially if you have multiple hosts on promisc or
> community ports on the pvlan that you want to be accessible without
> going via the router.
I looked at different datacenter hosting, (OVH in france, Hetzner in germany)
and they all do this.
I still don't know what I will do, I will still investigate.
Thanks
--
Nicolas Goy
Developer and Engineer
Goyman SA
No comments:
Post a Comment