Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
arnieh
Explorer
Jump to solution

Proxy ARP and VLAN tagging

I am working on two new 1800 Quantum Spark nodes in HA mode.

On the DMZ interface I have created 3 VLANs which in turn are all added to the HA config with their own ip addresses.

DMZ.100 192.168.1.1/27

DMZ.200 192.168.1.32/29

DMZ.300 192.168.1.40/29

LAN18 10.0.0.1/24

I added a NAT on DMZ.100 for the following:

192.168.1.2:443 -> 10.0.0.50:443 

The checkbox set to on : 'Serve as an ARP Proxy for the original destination's IP address'

According to the documentation a Proxy Arp should be created automatically for ip 192.168.1.2, so the 1800 can respond to ARP requests for that ip address.

When I type 'show nat-rule position 1' I get the following:

index: 1
name: 3966
original-source: any
original-destination: NATTEST
original-service: HTTPS
translated-source:
translated-destination: TEST-HOST
translated-service: HTTPS
comment:
disabled: false
hide-sources: false
answerArpRequests: true
is-generated: false
owner-type:

As stated in the response, answerArpRequests: true, but the 1800 just won't reply to ARP requests.

Also 'fw ctl arp -n' does not show anything.

When I create a $FWDIR/conf/local.arp file on both nodes and add the correct ip/mac address combination, then the 1800 does respond to ARP requests on the NAT ip-address.

Now 'fw ctl arp -n' returns the mac address to which it should respond.

 

My question is: is this a known issue that I need to configure local.arp to get Proxy Arp working with VLAN tagged interfaces with our Quantum Spark 1800 R81.10.05 devices? Has anyone run into this problem? I would like to use the WebGUI to add NAT configuration and not want edit local files which might not survive firmware upgrades.

I found a lead to an old article at proxy-arp-vlan-tagging but that is for another type of Checkpoint, but might be related

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

To add to what @G_W_Albrecht said, below is what you need to follow:

https://support.checkpoint.com/results/sk/sk114531

Andy

View solution in original post

(1)
4 Replies
G_W_Albrecht
Legend Legend
Legend

This is the offical supported method to configure proxy arp on SMBs - see details in sk30197: Configuring Proxy ARP for Manual NAT

If you feel that this should be configurable using WebGUI you can raise a RFE in the CP RFE form here: https://usercenter.checkpoint.com/ucapps/rfe/ 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)
the_rock
Legend
Legend

To add to what @G_W_Albrecht said, below is what you need to follow:

https://support.checkpoint.com/results/sk/sk114531

Andy

(1)
G_W_Albrecht
Legend Legend
Legend

Thank you - that is the right SK !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
arnieh
Explorer

Thank you both for your answers.

An update from my side:

I just found out that when I use IP addresses on the physical interface on which HA is enabled are set to the same subnet as the VIP address, the proxy arp works as it should for auto-NAT rules.

 

Both manual and auto-generated NAT need local.arp fileBoth manual and auto-generated NAT need local.arp fileOnly manual NAT needs local.arp fileOnly manual NAT needs local.arp file

Above are of course fictional addresses. The cluster IP address is actually one of a 87.x.x.x./29-subnet we got from our internet provider, so I need to use 192.x.x.x. private addresses on the physical interfaces to have more internet route-able addresses usable for NAT to internal hosts.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events