Shorewall users - Oct 2010 - Which is best option for environment ProxyARP or One-one-nat?

I have read and re-read shorewall setup instructions and I am still
unsure whether proxyarp or one-one-nat is the path to take.  If it makes
a difference, there are plans to add VPN.  

Appreciate a nudge into the right direction.

Description of environment:

Net---(8 IpAddresses)>Firewall/Router(2 IPAddresses and 3 NICs)
Firewall/Router-->(NIC 1 External IP)      
Firewall/Router-->(NIC 2 (Loc) Private IP (10.10.10.1))-->Loc HUB
Firewall/Router-->(NIC 3 (DMZ) Private IP (10.10.11.1))-->DMZ HUB
DMZ1---(NIC 1 (Loc) Private IP (10.10.10.2)
DMZ1---(NIC 2 (DMZ) Private IP (10.10.11.2) DNS Server (1 External IP))
DMZ2---(NIC 1 (Loc) Private IP (10.10.10.3) 
DMZ2---(NIC 2 (DMZ) Private IP (10.10.11.3) DNS Server/Inbound Mail
Server (2 External IPs))
DMZ3---(NIC 1 (Loc) Private IP (10.10.10.4)
DMZ3---(NIC 2 (DMZ) Private IP (10.10.11.4) DNS Server/Outbound Mail
Server (2 External IPs))
LOC1---(NIC 1 Private IP (10.10.10.5) OSSEC Server
LOC2---(NIC 1 Private IP (10.10.10.6) ACID Web Interface
LOC3---(NIC 1 Private IP (10.10.10.7) Bacula

Thanks


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

Maple Thorpe wrote:
>Net---(8 IpAddresses)>Firewall/Router(2 IPAddresses and 3 NICs)
>Firewall/Router-->(NIC 1 External IP)     
>Firewall/Router-->(NIC 2 (Loc) Private IP (10.10.10.1))-->Loc HUB
>Firewall/Router-->(NIC 3 (DMZ) Private IP (10.10.11.1))-->DMZ HUB
Not clear from that whether you have a separate IP you can use for 
the outside interface - I''m assuming not.

My preference is to avoid NAT completely if you can. On option is to 
run your firewall as a bridge - that way, you can use your public IPs 
on the public facing servers without any need for NAT or Proxy ARP. 
It''s really the simplest way as there are then no complications at 
all to worry about. The downside is that the bridge code in the Linux 
networking imposes some limitations.

You could, assuming you have the skills, run a firewall as a virtual 
machine under Xen (or any other mechanism you are familiar with), and 
then host your VPN endpoints on a separate real or virtual machine. 
That will remove some of the complexity, though it will add a little 
of it''s own - while you can run everything on one box, you can 
certainly simplify things if you divide and conquer !


If you had a separate public IP to use as a link address, then I''d 
say it''s a no-brainer, just use routed mode like this :

--link-- <link IP><firewall><public subnet> --- DMZ
-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

Thanks for response.  I''ll give the brouter configuration a whirl.


On Tue, 2010-10-12 at 17:31 +0100, Simon Hobson wrote:
> Maple Thorpe wrote:
> 
> >Net---(8 IpAddresses)>Firewall/Router(2 IPAddresses and 3 NICs)
> >Firewall/Router-->(NIC 1 External IP)     
> >Firewall/Router-->(NIC 2 (Loc) Private IP (10.10.10.1))-->Loc HUB
> >Firewall/Router-->(NIC 3 (DMZ) Private IP (10.10.11.1))-->DMZ HUB
> 
> Not clear from that whether you have a separate IP you can use for 
> the outside interface - I''m assuming not.
> 
> My preference is to avoid NAT completely if you can. On option is to 
> run your firewall as a bridge - that way, you can use your public IPs 
> on the public facing servers without any need for NAT or Proxy ARP. 
> It''s really the simplest way as there are then no complications at
> all to worry about. The downside is that the bridge code in the Linux 
> networking imposes some limitations.
> 
> You could, assuming you have the skills, run a firewall as a virtual 
> machine under Xen (or any other mechanism you are familiar with), and 
> then host your VPN endpoints on a separate real or virtual machine. 
> That will remove some of the complexity, though it will add a little 
> of it''s own - while you can run everything on one box, you can 
> certainly simplify things if you divide and conquer !
> 
> 
> If you had a separate public IP to use as a link address, then I''d
> say it''s a no-brainer, just use routed mode like this :
> 
> --link-- <link IP><firewall><public subnet> --- DMZ


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb