On Fri Sep 27, 2024 at 5:45 AM CEST, David Gwynne wrote: > > we have done this with PVLAN at work. the firewalls are set up with > promisc ports on the network, and the hosts are all on isolated ports. > we use a normal subnet on this network, ie, we allocate a /25 (or /24, > whatever) and set up carp on it, and it works. > > the only problem is if you want the hosts to be able to talk to > each other. in that situation you'll want to steer all the traffic to > the firewalls.
Yes, I'd like to apply the "normal" firewall rules to this traffic as well. > > the way we do that is with proxy arp, at least i think that's what the > accepted name in the industry is for what we're doing. we basically get > the firewalls to accept ARP packets from protected clients to protected > clients and reply to them with their own MAC address. this causes the > protected clients to send their packets via the firewall instead of > directly to each other. > > i wrote https://github.com/eait-itig/commarp to fiddle with the arp > packets. Yes this is an approach I found. Thanks for the code, I'll have a look. > > using a /32 on each host with a single shared gateway ip for the > subnet should work too. the config on the protected host side sounded > fiddly though, especially if you have multiple hosts on promisc or > community ports on the pvlan that you want to be accessible without > going via the router. I looked at different datacenter hosting, (OVH in france, Hetzner in germany) and they all do this. I still don't know what I will do, I will still investigate. Thanks -- Nicolas Goy Developer and Engineer Goyman SA
