Firewall/NAT

[Rules:]

Hi all, i'm puzzled why I'm getting an IP conflict between machines on my Opt1 interface and another network hanging off the WAN interface.

I've got two firewalls, M0n0wall and Checkpoint.

On the m0n0wall (Test Lab network)
LAN: 172.16.237.1/16
DMZ/OPT1: 192.168.111.20/24
WAN: 10.1.2.2/24 (plugs into the 10.2.1.1 interface on Checkpoint)

Checkpoint (Production network)
m0n0wall Interface: 10.2.1.1
LAN: 172.16.0.0
DMZ: 192.168.111.0

All 172.16.0.0 traffic is natted to appear as 10.2.1.1 through the checkpoint Fw.

Rules:
WAN:
TCP / 10.2.1.1 (WAN Net) / * / LAN Net / 3389 (Allow RDC  from WAN -> LAN)
TCP / 10.2.1.1 (WAN Net) / * / DMZOPT1 Net / 3389 (Allow RDC  from WAN -> DMZOPT1)
* / * / * / * / * Deny

DMZOPT1
* / * / * / * / * Deny

LAN
* / * / * / * / * Deny

The DMZOPT1 is not in bridged mode, although I do have the Advanced/enable filtering bridge tick box enabled.


What's happening is on the m0n0wall DMZOPT1 interface, when I assign any IP address in the 192.168.111.0 range to a machine, that Windows machine reports that IP address is in use, even if it is not in use on the production DMZ!

There's no traffic being blocked or let through from the logs (have all rules set to log.)


All the machines attached to the m0n0wall OPT1 interface hang off a switch. If I disconnect the switch<->OPT1 link, I can assign 192.168.111.x IP addresses fine.

When they're connected, I can assign any other IP range (172.16.0.0, or even 192.168.112.x), just not 192.168.111.x!!!!


Any ideas on how Windows determines if the IP address is in use or not? Am I just not understanding the differences between the LAN and the other OPT interfaces?



Any help much appreciated!

Steve.

(I can attach a pretty picture of the n/w layout if it will help.)

are you using proxy ARP? If you went wild configuring proxy ARP without knowing what you were actually doing, you can cause this.

Ah life saver!

There was a Proxy ARP entry as follows:

DMZOPT1 - 192.168.111.0/24

I deleted this entry and it works now.

I looked up the fountain of all knowledge (google) and now have a vague understanding of Proxy ARP.

From what I understand, m0n0wall was replying back for all IP addresses on that subnet and Windows was interpreting this as that there were machines on those IP addresses already and therefore producing the duplicate IP address message.

As I didn't put that entry in, I'm assuming it was put in when I created the OPT network. Because of this, should I still have any entries in there at all?

Cheers!

Steve

ps. Chris, I'm using your VM m0n0wall on ESX 3 and it's working a treat.

Have you found an issue to using proxy arp on a windows network where the windows client sends a gratious arp on the network before it starts its tcp/ip network stack?

Yeah an ARP reply on the IP the host is assigned is what qualifies as an IP conflict. You never use proxy ARP for IP's that are assigned to any device, it's meant for additional WAN IP's to use for NAT.