Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rickards
New Contributor

Created on ‎03-31-2014 07:30 AM

proxy arp feature

hi i am trying to get the proxy arp feature to work, so for i have two fortigates directly connected via wan1 and both firewalls have a server connected to the internal interface. FGT1 Internal: 192.168.1.99/24 Server1: 192.168.1.15 WAN 192.168.140.2 FGT2 Internal: 192.168.1.99 Server2: 192.168.1.20 WAN: 192.168.140.1 I have added a proxy arp entry on both firewalls: config system proxy-arp interface internal IP 192.168.1.99 and added a host route for each server: FGT1 static route 192.168.1.20/32 gw 192.168.140.1 FGT2 static route 192.168.1.15/32 gw 192.168.140.2 I am not getting any reply from the host at the other end, i can only ping the internal interfaces. Firewall policys are all allowed both in and out, what else could be missing ?
25846
0 Kudos
9 REPLIES 9
rwpatterson
Valued Contributor III

Created on ‎03-31-2014 08:04 AM

What is your end goal?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
5129
0 Kudos
rickards
New Contributor

Created on ‎03-31-2014 08:23 AM

Hi My goal is to use same subnet on the internal interface on both firewalls and have connectivity between the hosts that have ip address in the same subnet but same IP address of course. This is a temporary setup for a migration, to not have to change IP on migrated hosts.
5129
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-31-2014 08:24 AM

FWIW: proxy arp will probably not work in this case And why your not getting a response is due to the over-lap subnets in the /24 for the 2 servers. The fortigate are probably answering arp requests for networks foreign to their interfaces ( do a capture with a filter of ARP to validate for a local address and a foreign address ) Proxy-Arp is a good and dangerous thing and more so on the last part, and when it used for the wrong purpose. imho I would re-engineer the network with 2 unique LAN subnet I would also move far away from the 192.168.1.0/24 subnets

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5129
0 Kudos
rickards
New Contributor

Created on ‎03-31-2014 08:48 AM

The 192.168.1.0/24 is only used to test the concept, i do not see any arp requests on the external interface just arp requests from each host on the firewall it is connected to. So a request from 192.168.1.15 should be routed towards the external interface on the opposite side. It should look in the routing table for that host and send the packet to the destination ? I understand that this is not the cleanest solution and not the safest either but technically it should work right ?
5129
0 Kudos
rwpatterson
Valued Contributor III
In response to rickards

Created on ‎03-31-2014 09:10 AM

No. If you have the same subnet on 2 sides of an interface, you' ll never leave that area. You would have to either a) employ NAT and fake out your host or b) change one of the 2 LAN subnets to make it unique.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
5129
0 Kudos
rickards
New Contributor

Created on ‎03-31-2014 10:24 AM

There is an example in the KB that is for IPSEC but the concept is like what i am testing: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=12017&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=58971725&stateId=0%200%2058973156 In that example different IP' s on the internal interfaces are used, i have tried that aswell but did not work.
5129
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎03-31-2014 11:14 AM

In that example different IP' s on the internal interfaces are used, i have tried that aswell but did not work.
The example uses nat traversal in the VPN set up (see the " ipsec phase1-interface" section) between the two interfaces. The closest you can get to doing something like that without creating a VPN that is perhaps NATing one or both sides of the interface(s) I think I saw an example of a " NAT IP address pool" used in such a matter, somewhere in the KB or handbook. Edit: May be I am thinking of Source NATing.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
5129
0 Kudos
abc987
New Contributor II
In response to Dave_Hall

Created on ‎03-31-2014 01:07 PM

here' s a doc for this case http://docs.fortinet.com/d/fortigate-creating-a-vpn-with-overlapping-subnets

FCNSP/WCSP

FCNSP/WCSP
5129
0 Kudos
rickards
New Contributor

Created on ‎04-01-2014 02:59 AM

Hi guys Thanks for the input on this post, i did a proof of concept of this setup today which is working. In FGT1 the proxy-arp entry should be like this: config system proxy-arp edit 1 set ip 192.168.1.20 set interface internal then the static route which tells FGT1 where to find the host: static route 192.168.1.20/32 gw 192.168.140.1 on the other side opposite values. So now it is taking arp requests for host on other side and routes the traffic to the FGT on the opposite side. Firewall policys were open for all traffic without NAT. So it is working but yes, i agree this is not best practice.
5129
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.