cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

configure Proxy Arp on VSX cluster firewall

Jump to solution

Hi Team ,

Can someone explain me how to configure Proxy Arp for  Static NAT Public IP on R80.10 VSX Cluster firewall .My Cluster is active passive mode .I am go through SK30197 but not understand .

1 Solution

Accepted Solutions
Highlighted
Gold

Re: configure Proxy Arp on VSX cluster firewall

Jump to solution

Nilesh,

ther's another way to add a proxy arp entry to a gateway without configuring via the GAiA portal or close.

Add a host object with your external IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the the gateway.

proxy_arp1.PNGproxy_arp2.PNG

 

 

 

 

 

 

Wolfgang

View solution in original post

4 Replies
Highlighted

Re: configure Proxy Arp on VSX cluster firewall

Jump to solution
First thing you need to know is the mac address that is connected to the correct interface, you can find that by entering in expert mode (lets say you are working on VS5:
vsenv 5
cphaprob stat
ifconfig
From the last find the correct interface that belongs to the IP from the same network/subnet you want to add the proxy arp for.
Now go back to clish and enter the following commands:
set virtual-system 5
add arp proxy ipv4-address 10.10.10.20 macaddress 00:xx:xx:xx:xx:xx real-ipv4-address 10.10.10.1
Where 10.10.10.20 is the NAT IP you added and 10.10.10.1 is the IP on the interface. Once added push policy, but before you do, do not forget to check that the global NAT properties, 'merge manual proxy ARP configuration' is ticked.
Now check to see if it all works properly with:
fw ctl arp

Regards, Maarten
Highlighted
Gold

Re: configure Proxy Arp on VSX cluster firewall

Jump to solution

Nilesh,

ther's another way to add a proxy arp entry to a gateway without configuring via the GAiA portal or close.

Add a host object with your external IP to your rulebase and configure automatic NAT (static). As NAT-IP use the same external IP, add the relevant gateway and do a policy install. With this host object the gateway adds an proxy arp entry to the the gateway.

proxy_arp1.PNGproxy_arp2.PNG

 

 

 

 

 

 

Wolfgang

View solution in original post

Highlighted

Re: configure Proxy Arp on VSX cluster firewall

Jump to solution

I am virtualizing a HA Cluster to a VSX Cluster and have been reading some documentation regarding PROXY ARP and VSX . One thing I would like to discuss is the relation between a proxy arp entry in clish and the local.arp file. I have to understand this better so that I can configure this in the new VSX enviroment.

This is taken from a normal HA cluster not a VSX!

local.arp - 193.45.59.11 00:1c:7f:63:e8:76 193.45.95.20

--------------------------------------------------------------------------------------------------

clish - add arp proxy ipv4-address 193.45.59.11 interface bond1 real-ipv4-address 193.45.95.20

If I have understood this post correctly I only have to add proxy arp on the vs and nothing in the local.arp file?

Sincerely

Clive Overton-Fox

Highlighted

Re: configure Proxy Arp on VSX cluster firewall

Jump to solution
Clish commands overwrite the files in the background, like the add arp proxy will add an entry to local.arp
The main advantage of using clish instead of editing local files is that show configuration will show you that information without you needing to get into those pesky files.
Same goes for cronjobs, add cron in clish will add a line to crontab and you will see with crontab -l that the command you added in clish is properly added to the crontab.
Also in some companies you're not allowed to go into expert mode, thus making the access to local.arp very difficult.
Regards, Maarten
0 Kudos