FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
martinsd
Staff
Staff
Article Id 247736
Description This article describes how to use and how the 'proxy-arp' feature works.
Scope FortiGate.
Solution

Traditional Setup:

The customer has an AS and a public IP 1.1.1.1/32 and delegates on the ISP the prefix announcement. The ISP delivers the traffic to 1.1.1.1/32 through a private transit LAN. 

 

martinsd_0-1677688793240.png

 

CPE Config:

 

CPE#sh run | s interface
interface GigabitEthernet0/0
 ip address 23.10.20.15 255.255.255.0
interface GigabitEthernet0/1
 ip address 192.168.5.1 255.255.255.0
! 
CPE#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 23.10.20.1 to network 0.0.0.0
!
S*    0.0.0.0/0 [1/0] via 23.10.20.1
      1.0.0.0/32 is subnetted, 1 subnets
S        1.1.1.1 [1/0] via 192.168.5.6
      23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        23.10.20.0/24 is directly connected, GigabitEthernet0/0
L        23.10.20.15/32 is directly connected, GigabitEthernet0/0
      192.168.5.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.5.0/24 is directly connected, GigabitEthernet0/1
L        192.168.5.1/32 is directly connected, GigabitEthernet0/1
CPE#

 

Proxy ARP Setup:

The customer has an AS and a public IP 1.1.1.1/32 and delegates on the ISP the prefix announcement. The ISP delivers the traffic to 1.1.1.1/32 through a private transit LAN. The Customer configures de public IP on port1 interface with no secondary IP.

 

martinsd_1-1677688835741.png

 

After configuring the public IP on FortiGate's port1, the CPE starts to send the following ARP-REQUESTs: 

 

martinsd_4-1677690063940.png

 

The CPE cannot deliver traffic to the public IP, because it does not know the next hop's MAC address. To solve this problem it is possible to use the proxy-arp feature as follows:

 

# config system proxy-arp
    edit 1
        set interface "port1"
        set ip 192.168.5.6
    next
end

 

Now, the FortiGate is sending the ARP-REPLY packets back:

 

martinsd_3-1677689756235.png

 

And some ARP-REQUEST packets to find its next hop's MAC address:

 

martinsd_2-1677689667886.png 

FortiGate config:


# config system interface
    edit "port1"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set allowaccess ping
        set type physical
        set device-identification enable
        set snmp-index 1
    next
        edit "port2"
            set vdom "root"
            set ip 10.3.3.21 255.255.255.0
            set allowaccess ping https ssh http
            set type physical
            set device-identification enable
            set lldp-transmission enable
            set role lan
            set snmp-index 2
        next
    end


# config router static
    edit 1
        set gateway 192.168.5.1
        set device "port1"
    next
end


# config system proxy-arp
    edit 1
        set interface "port1"
        set ip 192.168.5.6
    next
end


# config firewall policy
    edit 1
        set name "toINET"
        set uuid 804c0770-b846-51ed-a435-1a650f5789f6
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set logtraffic-start enable
        set nat enable
    next
end

 

Use Cases:

- Use SNAT with the 'Outgoing Interface Address' option.

- SD-WAN does not support Loopback interfaces.

- ACME does not support Loopback interfaces.

Contributors