Page MenuHomeVyOS Platform
Create Task
Maniphest T5559

Selective proxy-arp/proxy-ndp when doing SNAT/DNAT
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Do there perhaps already exist a command in VyOS to solve the below usecase?

Usecase:

eth0: WAN-interface.
eth1: LAN-interace.

eth0 is configured with 192.168.0.1/24.

eth0 is using default gateway 192.168.0.254.

You will SNAT a particular outgoing traffic at eth0 to 192.168.0.2 (basically do a 1:1 NAT since you will also SNAT another LAN-host to 192.168.0.3).

If you enable proxy-arp or local-proxy-arp on eth0 your VyOS box will then send arp replies for all IP-addreses of 192.168.0.0/24.

This is bad because in this usecase there are other devices available on the 192.168.0.0/24 network except for your VyOS and the gateway it uses. The other devices will be interrupted when this VyOS box is sending arp-replies in their name. Other boxes will detect this as IP-collissions and/or ARP-spoofing attack.

Solution:

You want to limit VyOS to proxy-arp only for 192.168.0.2 and 192.168.0.3 for arp-requests arriving at eth0.

Manually this could be achieved through following command, prefered if similar could be done through vyos-config:

/sbin/arp -i eth0 -Ds 192.168.0.2 eth0 pub
/sbin/arp -i eth0 -Ds 192.168.0.3 eth0 pub

Would be prefered if the vyos-config syntax would involve not only physical interfaces but also vlan interfaces (vif) and tunnel interfaces.

Ref:

https://tldp.org/HOWTO/Proxy-ARP-Subnet/setup.html

https://manpages.debian.org/bookworm/net-tools/arp.8.en.html

Edit:

The above usecase describes proxy-arp (for IPv4) but the same need exists for proxy-ndp (for IPv6) even if NAT is less common in IPv6 world (but there can be other reasons for why a "virtual" IPv6 should be directed to the VyOS box using proxy-ndp).

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Apachez created this task.Sep 8 2023, 5:54 AM
Apachez updated the task description. (Show Details)Sep 8 2023, 6:17 AM
Viacheslav added a project: VyOS 1.5 Circinus.Sep 8 2023, 9:00 AM
pasik added a subscriber: pasik.Sep 8 2023, 9:41 AM
Viacheslav added a subscriber: Viacheslav.EditedSep 10 2023, 1:26 PM

I guess we should use the current ip neighbor xxx instead of old arp. I hope it does the same.

sudo ip neighbor add proxy 192.0.2.1 dev eth0
sudo ip -6 neigh add proxy aa::1 dev eth0

Show

vyos@r1# sudo ip neighbor show proxy
192.168.122.11 dev eth0  proxy
192.0.2.1 dev eth0  proxy
aa::1 dev eth0  proxy
[edit]
vyos@r1#
Viacheslav added a comment.EditedSep 10 2023, 10:38 PM

PR https://github.com/vyos/vyos-1x/pull/2240

set protocols static proxy-arp 192.0.2.1 interface eth0
set protocols static proxy-arp 192.0.2.1 interface eth1
set protocols static proxy-ndp 2001:db8::1 interface eth1

Maybe requires sysctl proxy_ndp=1 for IPv6 https://vtluug.org/wiki/Proxy_NDP

Apachez renamed this task from Selective proxy-arp when doing SNAT to Selective proxy-arp/proxy-ndp when doing SNAT/DNAT.Sep 12 2023, 11:26 PM
Apachez updated the task description. (Show Details)
Apachez mentioned this in T5572: Add capability for sending Gratuitous ARP (GARP) and the equal for IPv6.Sep 13 2023, 12:35 AM
Apachez assigned this task to Viacheslav.Oct 10 2023, 5:18 AM
Viacheslav added a comment.Nov 8 2023, 8:31 AM
set protocols static neighbor-proxy arp 192.0.2.1 interface eth1

check

vyos@r4# sudo ip nei show proxy
192.0.2.1 dev eth1 proxy 
[edit]
vyos@r4#
Viacheslav closed this task as Resolved.Nov 8 2023, 8:31 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.