proxy arp feature

Forum|Forum|12 years ago
March 31, 2014
7 replies
28090 views

hi i am trying to get the proxy arp feature to work, so for i have two fortigates directly connected via wan1 and both firewalls have a server connected to the internal interface. FGT1 Internal: 192.168.1.99/24 Server1: 192.168.1.15 WAN 192.168.140.2 FGT2 Internal: 192.168.1.99 Server2: 192.168.1.20 WAN: 192.168.140.1 I have added a proxy arp entry on both firewalls: config system proxy-arp interface internal IP 192.168.1.99 and added a host route for each server: FGT1 static route 192.168.1.20/32 gw 192.168.140.1 FGT2 static route 192.168.1.15/32 gw 192.168.140.2 I am not getting any reply from the host at the other end, i can only ping the internal interfaces. Firewall policys are all allowed both in and out, what else could be missing ?

rwpatterson

New Member

What is your end goal?

rickardsAuthor

New Member

Hi My goal is to use same subnet on the internal interface on both firewalls and have connectivity between the hosts that have ip address in the same subnet but same IP address of course. This is a temporary setup for a migration, to not have to change IP on migrated hosts.

emnoc

New Member

FWIW: proxy arp will probably not work in this case And why your not getting a response is due to the over-lap subnets in the /24 for the 2 servers. The fortigate are probably answering arp requests for networks foreign to their interfaces ( do a capture with a filter of ARP to validate for a local address and a foreign address ) Proxy-Arp is a good and dangerous thing and more so on the last part, and when it used for the wrong purpose. imho I would re-engineer the network with 2 unique LAN subnet I would also move far away from the 192.168.1.0/24 subnets

rickardsAuthor

New Member

The 192.168.1.0/24 is only used to test the concept, i do not see any arp requests on the external interface just arp requests from each host on the firewall it is connected to. So a request from 192.168.1.15 should be routed towards the external interface on the opposite side. It should look in the routing table for that host and send the packet to the destination ? I understand that this is not the cleanest solution and not the safest either but technically it should work right ?

rwpatterson

New Member

No. If you have the same subnet on 2 sides of an interface, you' ll never leave that area. You would have to either a) employ NAT and fake out your host or b) change one of the 2 LAN subnets to make it unique.

rickardsAuthor

New Member

There is an example in the KB that is for IPSEC but the concept is like what i am testing: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=12017&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=58971725&stateId=0%200%2058973156 In that example different IP' s on the internal interfaces are used, i have tried that aswell but did not work.

Dave_Hall

New Member

In that example different IP' s on the internal interfaces are used, i have tried that aswell but did not work.

The example uses nat traversal in the VPN set up (see the " ipsec phase1-interface" section) between the two interfaces. The closest you can get to doing something like that without creating a VPN that is perhaps NATing one or both sides of the interface(s) I think I saw an example of a " NAT IP address pool" used in such a matter, somewhere in the KB or handbook. Edit: May be I am thinking of Source NATing.

abc987

New Member

here' s a doc for this case http://docs.fortinet.com/d/fortigate-creating-a-vpn-with-overlapping-subnets

rickardsAuthor

New Member

Hi guys Thanks for the input on this post, i did a proof of concept of this setup today which is working. In FGT1 the proxy-arp entry should be like this: config system proxy-arp edit 1 set ip 192.168.1.20 set interface internal then the static route which tells FGT1 where to find the host: static route 192.168.1.20/32 gw 192.168.140.1 on the other side opposite values. So now it is taking arp requests for host on other side and routes the traffic to the FGT on the opposite side. Firewall policys were open for all traffic without NAT. So it is working but yes, i agree this is not best practice.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded