I have a bridged Internet service with static IPs. My provider's equipment is an annoying unlimited ARP proxy, so using a simple bridge facing the Internet is unreliable. I see three choices:
1) Live with it.
2) Set up static ARP on all pubicly-addressed equipment. Note that static IPs on consumer-type services generally cost a mountain of money over time (~$20/mo for 5), so I won't have many to configure.
Advantage: I can still re-plug equipment freely, e.g. into firewall, parallel to firewall, etc. This includes firewall interfaces, as edge bridge interfaces are interchangeable (no "inside"/"outside"). Really only useful for firewall bypass/replacement (I'm on such a setup right now).
Disadvantages:
- Static setup required on multiple (in my case, 2-4) machines;
- Cannot change interface (MAC) without reconfiguration of other machine(s).
3) Set up proxy ARP on the firewall: On firewall: configure a routed interface with a private address, connected to the Internet; configure proxy ARP (Virtual IPs) appropriately; configure a gateway host (static route) for the Internet gateway; alter NAT rules.
Advantages:
- All configuration is on the firewall;
- Allows anti source-spoofing rule on "outside" ruleset.
Disadvantages:
- Introduces fixed "outside" interface(s) - moving addresses from inside to outside requires reconfiguration of virtual IPs and gateway(s);
- Privately-addressed external interface introduces potential sourcing issues (could be minor/solveable);
- Kinda ugly.
Opinions? Alternate solutions?