Example – Westermo RedFox Series User Manual
Page 702
Westermo OS Management Guide
Version 4.17.0-0
Example
example:/#> show firewall
...
=== Forwarding Packet Filter Rules ===========================================
Forwarding Policy DROP
target
prot in
out
source
destination
...
ACCEPT
all
any
vlan2
192.168.2.0/24
anywhere
...
31.1.4.2.4
Proxy ARP and 1-to-1 NAT
WeOS 1-to-1 NAT includes a proxy ARP mechanism, which makes the WeOS unit
answer on ARP requests for the external network specified in the configuration
(the ”dst” parameter in the CLI or Destination Address(es) field in the Web
interface). The router will only answer on ARP requests originating from the net-
work connected to the inbound interface (CLI: ”in” parameter, Web: Incoming
Interface). This makes it possible to use 1-to-1 NAT to pick up traffic to a specific
subnet from within a larger network without the need of explicit routing settings.
An example is shown in
: You have a subnet 10.0.0.0/16 set on your
external LAN, and want to use 1-to-1 NAT to take care of the specific subnets
10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24, which should be translated and routed
to the inside of the Router1, Router2 and Router3 respectively. In this case, hosts
at the external LAN, such as the management PC (10.0.0.99), will use ARP when
they want to reach something within the 10.0.0/16 range. If the PC sends an
ARP Request for 10.0.1.33 (PLC3), WeOS Router1 will respond and announce its
own MAC address in the ARP reply. Traffic from the management PC (and other
hosts on the external network) to 10.0.1.33 (PLC3) will be sent to Router1, which
performs 1-to-1 NAT (10.0.1.33⇒192.168.1.33) before forwarding the packets to-
wards PLC3.
Proxy ARP removes the need for explicit routing in some scenarios, but if you are
setting up a purely routed configuration, proxy ARP might not be useful, and in
some special cases even undesirable. For these special scenarios it is possible
to disable Proxy ARP for a 1-to-1 NAT rule. This is done by specifying the CLI
keyword ”noarp” or by un-checking the Proxy ARP checkbox in the Web. See
(Web) and
(CLI) for configuration details.
702
➞ 2015 Westermo Teleindustri AB