topic Re: Gratuitous ARP static NAT, 1450-Appliance in Spark Firewall (SMB)

Gratuitous ARP static NAT, 1450-Appliance

Martin_Peinsipp — Tue, 17 Jul 2018 16:23:15 GMT

Hello!

Today I migrated a firewall-configuration from a SG80-Appliance to a 1450er-Appliance (configured everything manually, installed the latest firmware 07/2017). We have a lot of auto-static-nats configured there (are terminateing in the WAN-Interface). Just for clarification, the WAN-Inteface is configured with internal-ips (MPLS-Connection).

After activating the new appliance (same ips and static-nat-ips taken from the old SG80-Appliance) the static-nats did not work, because the old MAC-Addresses of the old SG80-Appliance were stored on the router's arp-table.

But the new MAC of the WAN-Interface was updated immediately. So it seems, that the Firewall does not send out gratuitous arp for static-nat-ips but only for its own IP on the WAN-Interface.

As I said, it was not a problem, but I only want to know, if this is a standard behaviour because today it was the very first time, I did not delete the arp-table for the nat-ips, do not know why.

Best regards

Martin

Re: Gratuitous ARP static NAT, 1450-Appliance

Pedro_Espindola — Thu, 19 Jul 2018 20:38:07 GMT

Hello Martin.

From the tests I made with a 1470 it seems it does not send gratuitous ARP. It will only respond to ARP requests.

This seems to be the standard behavior.

Re: Gratuitous ARP static NAT, 1450-Appliance

Martin_Peinsipp — Fri, 20 Jul 2018 06:38:44 GMT

Hello!

Thank you for the test! I found a great command. With this command you can force the appliance to send out g-arps:

echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind --> enable this "feature in the kernel"

arping -c 4 -A -I WAN 10.90.186.200 --> here the g-arp will be done for the WAN-Interface and for the IP 10.90.186.200

echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind --> disable this "feature in the kernel"

This works great

Martin