Technical Tip: VIP on EMAC-VLAN interface responds with Parent interface MAC address
Description
This article describes that if VIP configured on EMAC-VLAN , FortiGate instead of responding with EMAC-VLAN interface MAC address uses parent-interface MAC address.
Explanation.
Consider an example where traffic is generated as follow:
Source IP address: 192.168.1.20
Destination IP address: 192.168.1.30
FortiGate has the following EMAC-VLAN configured:
Uplink in arp who-has 192.168.1.30 tell 198.51.100.3
Uplink out arp reply 192.168.1.30 is-at c:2:5:50:e4:0 <----- Different MAC address.
port1 out arp reply 192.168.1.30 is-at c:2:5:50:e4:0
emac-FGT in arp who-has 192.168.1.30 tell 198.51.100.3
emac-FGT out arp reply 192.168.1.30 is-at 12:2:5:50:e4:0 <----- Different MAC address.
Since the connecting unit gets the first response from parent interface Uplink, connectivity fails.
Solution
It is possible to implement two solutions to fix this issue and avoid any connectivity problems in such a scenario. This has to do with the configuration of VIP.
1) Use the exact interface on which VIP is configured.
This article describes that if VIP configured on EMAC-VLAN , FortiGate instead of responding with EMAC-VLAN interface MAC address uses parent-interface MAC address.
Explanation.
Consider an example where traffic is generated as follow:
Source IP address: 192.168.1.20
Destination IP address: 192.168.1.30
FortiGate has the following EMAC-VLAN configured:
# config system interfaceThere is a VIP also configured having the same external IP as EMAC-VLAN interface.
edit "emac-FGT"
set vdom "root"
set ip 192.168.1.30 255.255.255.0
set allowaccess ping https ssh http
set type emac-vlan
set snmp-index 13
set interface "Uplink"
next
end
# config firewall vipWhen traffic initiates from source IP 192.168.1.20 to access 192.168.1.30 for SSH access, FortiGate responds with the MAC address of parent interface "Uplink"
edit "VIP-192.168.1.30_rdp"
set extip 192.168.1.30
set extintf "any"
set portforward enable
set mappedip "192.168.10.2"
set extport 3389
set mappedport 3389
next
end
Uplink in arp who-has 192.168.1.30 tell 198.51.100.3
Uplink out arp reply 192.168.1.30 is-at c:2:5:50:e4:0 <----- Different MAC address.
port1 out arp reply 192.168.1.30 is-at c:2:5:50:e4:0
emac-FGT in arp who-has 192.168.1.30 tell 198.51.100.3
emac-FGT out arp reply 192.168.1.30 is-at 12:2:5:50:e4:0 <----- Different MAC address.
Since the connecting unit gets the first response from parent interface Uplink, connectivity fails.
Solution
It is possible to implement two solutions to fix this issue and avoid any connectivity problems in such a scenario. This has to do with the configuration of VIP.
1) Use the exact interface on which VIP is configured.
# config firewall vip2) Disable arp-reply in VIP.
edit "VIP-192.168.1.30_rdp"
set extip 192.168.1.30
set extintf "any" <----- Replace this with 'emac-FGT'.
set portforward enable
set mappedip "192.168.10.2"
set extport 3389
set mappedport 3389
next
end
# config firewall vip
edit "VIP-192.168.1.30_rdp"
set extip 192.168.1.30
set extintf "any"
set arp-reply disable <----- Disable it.
set portforward enable
set mappedip "192.168.10.2"
set extport 3389
set mappedport 3389
next
end