[squid-users] Question about transparent proxy + duplicate IPs: is it possible?

From: Marco Simioni <m.simioni@dont-contact.us>
Date: Tue, 3 Oct 2006 11:26:28 +0200

Hi everyone, i never found an answer for this question, so i'm trying
to ask you.

The scenario is something like this:
- I'd like to setup a linux box that acts as a transparent http proxy
(let's say something with squid installed) connected at port X in my
switch, and requires Zero-Configuration on client devices.
- I setup my Port-Based VLANs in my switch so that every other port
can only communicate with port X (every devices can't communicate with
each other)
- At the other ports of my switch i'd like to connect devices with
either Dynamic IP configuration or Static IP configuration.

My transparent box should:
- assign an IP address to DHCP devices that require it
- arp reply to every Static IP devices that will arp-request for his
gateway, so that they will use my box as their gateway
- catch http connections for both DHCP and STATICIP devices, and proxy
them, like any standard transparent proxy

The real problem is: what happens if 2 device with the same IP connect
to this network?

I assume that there is no "collision" in the client devices protocol
stack, because of the Port-Based VLAN separation i did on the switch
one device will not see each other.

Btw what happens on my linux box?
I think that everytime he received an ARP reply from a device, he
updates the ARP cache.
So, if i have two client configured like:
Client 1: IP A, MAC X
Client 2: IP A, MAC Y
the arp table can only contain ONE record with IP A, every time
updated now with MAC X and now with MAC Y.
How could i manage this? Is it possible to manage two client, with the
same Static IP, and nat their http connections?

I had an idea but i don't know if it's ok: I think in my box should:
- Never overwrite ARP entries, but allow creating rows with duplicate
IP (but obviously different MAC addresses). Note: I assume that my BOX
will never need to communicate directly with IP address "A" at higher
layer lavels, so that i don't care if i have multiple entries with the
same IP "A" in my ARP table.
- I know NAT mechanism stores in a table the open connections with the
corresponding OUTPUTPORT+INTERNALIP. I think my box should also save
the INTERNALMAC, so that i can distinguish different devices with same
IP address but obviously different MAC address.

I know this is a weird problem, but i think it is useful in Hot-Spot
areas where i want to offer a ZeroConfiguration service.
Thank very much in advance for the answers.

Marco.
Received on Tue Oct 03 2006 - 03:26:34 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST