1:1 NAT and ARP issue iptables

Question

Gateway machine with 2 NIC one connecting public network and one for private network.

Gateway:

eth0 4.x.x.3

Eth1:10.10.11.3

There are 5 Machines with this as gateway all with ip 10.10.11.5---9 with gateway as 10.10.11.3

DNAT :

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination       

DNAT       all  --  anywhere             4.x.x.5     to:10.10.11.5 

DNAT       all  --  anywhere             4.x.x.6     to:10.10.11.6 

DNAT       all  --  anywhere             4.x.x.7     to:10.10.11.7 

SNAT on Gateway

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination  

SNAT       all  --  10.10.11.5           anywhere            to:4.x.x.5 

SNAT       all  --  10.10.11.6           anywhere            to:4.x.x.6 

SNAT       all  --  10.10.11.7           anywhere            to:4.x.x.7 

This rule was not working until i assign public ip on gateway on interface, seems issue with ARP .

Question1 Is there a way to avoid assigning public ip on interface to solve ARP issue

Question2: Could some one explain me reason for ARP failure other than ARP is layer 1 and NAT is layer 3

Answer 1

It's both in your uplink router. The 4.x.x.x network N is directly connected to your router and your provider's router R. Whenever R wants to reach anything in network N it knows it is locally connected and is going to send ARP requests for it.

You could set more specific routes (4.x.x.5/32 -> 4.x.x.3) on router R (if your provider allows you to...). Or bring your router 4.x.x.3 to answer the ARP requests. If your linux box does not own the IPs, it will not answer local ARP requests on the wire. Configuring the IP will answer the ARP request and let the upstream router R forward the packets to your box. And finally there are packets your router can forward and NAT. Until the packets do not arrive at your box, they cannot be forwarded.

Is has got nothing to do with the layers - this problem runs only on layer3.