New Member

Question

Proxy ARP issues: cannot set interface, SSH different than console, documentation useless

Forum|Forum|10 years ago
September 2, 2015
6 replies
17946 views

Hi there,

Currently I'm struggling with understanding how you deal with Proxy ARP on the Fortigate. So far support has been of no help (reply=RTFM which is incomprehensible).

Usually (other vendors) you have the choice of enabling/disabling proxy ARP on an interface. Plus some minor options. That's it.

Now, the Fortigate requires me to set an IP and an interface. I believe to understand that I have to manually define each IP for proxy arp? I can live with that, but it is also unclear what the interface it asks for is supposed to be: * Is it the interface where the IP is actually located (which should be implicit from the routing table)? * Is it the interface where the IP should be presented with the MAC of the router (which should be implicit from the interface address)?

Additionally I seem to be unable to activate proxy-arp on a VLAN interface. C'mon.....

FGXXXX# config system proxy-arp
FGXXXX(proxy-arp) # edit 1
new entry '1' added
FGXXXX(1) # set interface
<string>    please input string value
mgmt    interface
ssl.dmgmt-vdom(SSL VPN interface)       interface

FGXXXX # (1) set interface "VLANX_Y"
entry not found in datasource
value parse error before 'VLANX_Y'
Command fail. Return code -3

Best regards,

Marki

5.2

vjoshi_FTNT

Staff

Hi Mark,

I believe, a VIP can help you in this case.

Fortigate responds to the ARP requests on behalf of the VIP IP. It is allowed to create VIP IP for the VLAN interface as well.

May I know the actual requirement based, with respect to the traffic?

jmluxAuthor

New Member

vjoshi wrote:
I believe, a VIP can help you in this case.
Fortigate responds to the ARP requests on behalf of the VIP IP. It is allowed to create VIP IP for the VLAN interface as well.

Now that's a new bit of info, thanks. However, we don't need any NAT or the like, just "plain" proxy ARP. Would you have an example config using a VIP?

May I know the actual requirement based, with respect to the traffic?

The requirement is that the current equipment can be replaced 1-to-1 and the cleanup done later as there is no time for that before. Either a FG can do it or we have to use something else.

jhouvenaghel_FTNT

Staff

Hello,

I didn't play with this setting but I guess the IP address to enter is the IP address which need to be proxied.

I think the interface you need to indicate is simply the interface receiving the ARP request and which need to answer to the ARP request for the proxied IP address

It seems that indeed you can not specify a VLAN sub interface. Does it mean that if you specify the physical interface where the VLAN sub interfaces are configured , it will be enough to have proxy arp working for all sub interfaces defined on this physical interface ? It would need to be tested in lab

jmluxAuthor

New Member

We can't specify any interfaces, except for mgmt and ssl.dmgmt-vdom (see one of the previous posts). Not even the physical interface on which the VLAN is configured.

jhouvenaghel_FTNT

Staff

Can you go in the VDOM where the physical interface belongs to ?

jmluxAuthor

New Member

jhouvenaghel wrote:
Can you go in the VDOM where the physical interface belongs to ?

no vdoms here, only root (except of course dedicated management, which I exclude from user vdoms) I haven't tried without, but if the equipment can't handle that, then it's a bug.

jmluxAuthor

New Member

OK I tried it now, it has something to do with dedicated management. Once switched off, I can configure proxy arp. And after switching it on again, I can still configure proxy arp. I diffed the configs from before switching on and off and after, no relevant functional changes shown.

emnoc

New Member

Can you describe what your trying to accomplish with proxy-arp. You might be able to get by with another approach but the proxy-arp setiing .

As far as sub-interface, don't know why your having problems any layer2 ethernet interface that's not in transparent mode should work

e.g

FGT100DSPWORK (1) # show config system proxy-arp edit 1 set interface "vlan88" <-------sub-interface from a 802.1q tagged member set ip 10.22.1.1 next end

jmluxAuthor

New Member

emnoc wrote:
Can you describe what your trying to accomplish with proxy-arp. You might be able to get by with another approach but the proxy-arp setiing .

It's just that Proxy ARP is currently in use on the equipment that should be replaced by the FG. We can't clean up now. We have to clean up later therefore, the FG must behave more or less the same as the existing equipment.

As far as sub-interface, don't know why your having problems any layer2 ethernet interface that's not in transparent mode should work

Then there must be sth really special on my end

FG100D # config system proxy-arp

FG100D (proxy-arp) # edit 1
new entry '1' added

FG100D (1) # set interface
<string> please input string value
mgmt interface
ssl.dmgmt-vdom(SSL VPN interface) interface

FG100D (1) # set interface vlan123
entry not found in datasource

value parse error before 'vlan123'
Command fail. Return code -3

(see also attached image)

See also relevant part of config below (there isn't much)

#config-version=FG100D-5.02-FW-build688-150722:opmode=0:vdom=0:user=admin
#buildno=0688
#global_vdom=1
#dedicated-management=dmgmt-vdom
config system global
    set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2
    set admintimeout 60
    set fgd-alert-subscription advisory latest-threat
    set gui-ips enable
    set gui-wireless-controller disable
    set hostname "FG100D"
    set internal-switch-mode interface
    set optimize antivirus
    set switch-controller enable
    set timezone 26
end
config system interface
    ....
    edit "mgmt"
        set vdom "dmgmt-vdom"
        set ip x.x.x.x 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
        set type physical
        set dedicated-to management
        set snmp-index 8
    next
    edit "ha1"
        set vdom "root"
        set type physical
        set snmp-index 9
    next
    edit "ha2"
        set vdom "root"
        set type physical
        set snmp-index 10
    next
    edit "port5"
        set vdom "root"
        set type physical
        set snmp-index 4
    next
    ....
    edit "vlan123"
        set vdom "root"
        set snmp-index 28
        set interface "port5"
        set vlanid 123
    next
end
config system physical-switch
    edit "sw0"
        set age-val 0
    next
end
config system ha
    set override disable
end
config system dedicated-mgmt
    set status enable
    set interface "mgmt"
    set default-gateway x.x.x.x
end
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
end
config system ntp
    set syncinterval 60
end
config system settings
end
config system session-ttl
        config port
            edit 102
                set timeout 28800
            next
        end
end
config firewall local-in-policy
end
config router static
    edit 1
        set gateway 1.2.3.1
        set device "VLAN29_XXX"
    next
    edit 2
        set dst 2.2.2.0 255.255.252.0
        set gateway 1.1.1.1
        set device "VLAN30_XXX"
    next
    ...
end

Clipboard01.jpg

jmluxAuthor

New Member

Oh and now I have found out that when you try to set or display proxy-arp settings (config system proxy-arp) this differs when logged in from console vs. logged in via SSH (dedicated management). Great. Now I wonder if support will get back to me like always (i.e. "that's just how it works, that's hard-coded and therefore cannot change"). [>:]

jmluxAuthor

New Member

Okay..... (holy ****) It seems that when dedicated-mgmt is configured, logging in via CLI puts you automatically in dmgmt-vdom vs. the GUI which shows you the normal vdom (root, whatever). Support is confused, they don't seem to understand that we need dedicated-mgmt only so that management is out-of-band and we don't actually want to do anything inside the dmgmt-vdom. (Even the doc says it is (supposed to be) hidden!!!) They even ask to add ports to dmgmt-vdom to configure proxy-arp (the original issue). Argh, so the answer for e.g. configuring proxy-arp is to "execute enter root" (in which case all interfaces are available again for selection) and then perform normal configuration. Still, one should find out why the CLI puts you in dmgmt-vdom by default when dedicated-mgmt is enabled, which is a stupid behavior. Let me guess what the response will be: "That's by design, hard-coded, and therefore can't be changed." Anyone else having similar discussions with support? [>:]

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded