topic Re: Proxy ARP and VLAN tagging in Spark Firewall (SMB)

Proxy ARP and VLAN tagging

arnieh — Thu, 11 May 2023 07:57:38 GMT

I am working on two new 1800 Quantum Spark nodes in HA mode.

On the DMZ interface I have created 3 VLANs which in turn are all added to the HA config with their own ip addresses.

DMZ.100 192.168.1.1/27

DMZ.200 192.168.1.32/29

DMZ.300 192.168.1.40/29

LAN18 10.0.0.1/24

I added a NAT on DMZ.100 for the following:

192.168.1.2:443 -> 10.0.0.50:443

The checkbox set to on : 'Serve as an ARP Proxy for the original destination's IP address'

According to the documentation a Proxy Arp should be created automatically for ip 192.168.1.2, so the 1800 can respond to ARP requests for that ip address.

When I type 'show nat-rule position 1' I get the following:

index: 1
name: 3966
original-source: any
original-destination: NATTEST
original-service: HTTPS
translated-source:
translated-destination: TEST-HOST
translated-service: HTTPS
comment:
disabled: false
hide-sources: false
answerArpRequests: true
is-generated: false
owner-type:

As stated in the response, answerArpRequests: true, but the 1800 just won't reply to ARP requests.

Also 'fw ctl arp -n' does not show anything.

When I create a $FWDIR/conf/local.arp file on both nodes and add the correct ip/mac address combination, then the 1800 does respond to ARP requests on the NAT ip-address.

Now 'fw ctl arp -n' returns the mac address to which it should respond.

My question is: is this a known issue that I need to configure local.arp to get Proxy Arp working with VLAN tagged interfaces with our Quantum Spark 1800 R81.10.05 devices? Has anyone run into this problem? I would like to use the WebGUI to add NAT configuration and not want edit local files which might not survive firmware upgrades.

I found a lead to an old article at proxy-arp-vlan-tagging but that is for another type of Checkpoint, but might be related

Re: Proxy ARP and VLAN tagging

G_W_Albrecht — Fri, 12 May 2023 08:19:31 GMT

This is the offical supported method to configure proxy arp on SMBs - see details in sk30197: Configuring Proxy ARP for Manual NAT

If you feel that this should be configurable using WebGUI you can raise a RFE in the CP RFE form here: https://usercenter.checkpoint.com/ucapps/rfe/

Re: Proxy ARP and VLAN tagging

the_rock — Fri, 12 May 2023 21:11:56 GMT

To add to what @G_W_Albrecht said, below is what you need to follow:

https://support.checkpoint.com/results/sk/sk114531

Andy

Re: Proxy ARP and VLAN tagging

G_W_Albrecht — Sat, 13 May 2023 19:57:17 GMT

Thank you - that is the right SK !

Re: Proxy ARP and VLAN tagging

arnieh — Tue, 16 May 2023 10:28:20 GMT

Thank you both for your answers.

An update from my side:

I just found out that when I use IP addresses on the physical interface on which HA is enabled are set to the same subnet as the VIP address, the proxy arp works as it should for auto-NAT rules.

Both manual and auto-generated NAT need local.arp fileOnly manual NAT needs local.arp file

Above are of course fictional addresses. The cluster IP address is actually one of a 87.x.x.x./29-subnet we got from our internet provider, so I need to use 192.x.x.x. private addresses on the physical interfaces to have more internet route-able addresses usable for NAT to internal hosts.