topic Re: clusterxl vmac and proxy arp in General Topics

clusterxl vmac and proxy arp

Dmitry_Barantse — Wed, 11 Jul 2018 11:23:49 GMT

Hi team.

I have a question about clusterxl vmac option and nat with proxy arp.
What mac should be in proxy arp configuration for manual and automatic static nat?
I think that in both cases should be a virtual mac.
I'm I right?

Re: clusterxl vmac and proxy arp

PhoneBoy — Wed, 11 Jul 2018 13:00:08 GMT

Automatic Static NAT should be handled automatically (i.e. you don't need to add any proxy arp) unless you've disabled Automatic ARP configuration:

For Manual NAT rules you would use the cluster VMAC.

Re: clusterxl vmac and proxy arp

Dmitry_Barantse — Wed, 11 Jul 2018 13:22:48 GMT

Automatic ARP would be created with cluster virtual mac, isn't it?

Re: clusterxl vmac and proxy arp

PhoneBoy — Wed, 11 Jul 2018 13:31:35 GMT

Yes

Re: clusterxl vmac and proxy arp

Timothy_Hall — Wed, 11 Jul 2018 14:44:47 GMT

Also keep in mind that on an R80.10+ gateway you can enable automatic handling of Proxy ARP for manual NAT rules and not have to worry about what MAC address it is:

sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: clusterxl vmac and proxy arp

Martin_Raska — Thu, 12 Jul 2018 06:54:26 GMT

Yes, but it's only for source NAT, so it's not usable for scenario, the connection from the Internet to public IP, which is not configured on any CP interfaces and I need to do DNAT from the public to private towards inside of my web server with 10.1.1.1.

Re: clusterxl vmac and proxy arp

GG27 — Fri, 13 Jul 2018 15:46:46 GMT

I assume your clusterXL configuration is with Virtual Mac

In this case in the proxy arp configuration you have to create entries where the MAC is the virtual as well.

By CLI on the gateway, you can run "cphaprob -a if" and next to each virtual IP you see the virtual MAC set.

In case you won't use virtual MAC, the CLI command output won't show any MAC because you will use the physical MAC for the VIP.

in this last scenario in the proxy arp you have to configure the physical mac related of interface where Manual NAT is applied and the MAC on the other cluster member will be different than the other one.

Re: clusterxl vmac and proxy arp

Maarten_Sjouw — Fri, 13 Jul 2018 21:22:23 GMT

Do keep in mind that in cluster configs using the real-ip part of the statement needs to contain the real IP of the member for that interface.

Also you can see all advertised proxy arp's by using the 'fw ctl arp' command.

Re: clusterxl vmac and proxy arp

Robert_M_Nubile — Fri, 18 Oct 2019 03:12:44 GMT

Hi Sir,

I believe that it should be configured using Virtual Mac Address but I opened a ticket with TAC and they told me that it must be configured using Physical Mac Address.

Are you that the Proxy ARP must be set using Virtual MAC Address?

Kind regards,