Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proxy-ARP not working on a VMWare-Machine (Ubuntu 16.4)

Dietrich Hiddemann

Hello Community,

we're about to implement a video conferencing server via a virtual machine (sitting on VMWare ESXi). The VM uses Ubuntu 16.4 as an OS and has two NICs. One of them needs to use a public IP address, as we can't use a STUN/TURN server, the other one is used for management only and has a private IP. To still be secure, we're about to use proxy-arp on our XG 310 firewall (18.0.4). The interface on the firewall used for this is a LAG, containing 2 Ports (3 and 7). It has a private IP, which just functions as 'dummy', as it gets its 'real' IP via the proxy-arp.

The XG uses 2 proxy-arp entries actually, one on the LAG, which gets the public IP of the ISP gateway and one on the WAN interface, which gets the public IP of the server.

On the VM, we have configured one NIC with mentioned public IP and the ISP's router as a gateway. The same gateway is also default. And there's a directly connected  route in the /22 subnet which contains the public IP and the gateway. On the XG we have added routes to the VM via the LAG interface and to the ISP router via the WAN interface (although the latter is probably not necessary because it's the default gateway).

Now to the problem: We cannot reach the LAG interface at all from the server - and the server not from the XG. A ping from the VM comes up with 'destination unreachable' message, which looks like there's no route to the gateway. But there is (actually it's directly connected). If we try arp -a, the internal interface gets the MAC address from its gateway without any issues, the proxy-arp interface alwalys comes up with <incomplete>. Which, again, is an indicator for a non functioning connection. A tracepath also stops at the interface IP with a H! for unreachable.

Problem is that it SHOULD work. At least in my opinion. I even tried to add the MAC address of the LAG interface manually to the ARP table, which unfortunately didn't do the trick either.

Oh, there's also a stacked switch between the XG and the ESXi-Host, but all ports are sitting untagged in the some VLAN, so this shouldn't be the issue.

Please, can anyone help me out on this one?

Many thanks in advance!



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Please ensure that you've followed the correct steps to configure proxy-arp on Sophos Firewall.

    Implement Transparent Subnet Gateways Using Proxy ARP

    Assuming ISP link is terminated on Sophos Firewall.

    ==> Configure LAG and WAN interfaces to accept and respond to Proxy ARP.

    console> set proxy-arp add interface <WAN_Interface> dst_ip <NIC_public_IP>

    console> set proxy-arp add interface <LAG_interfacee> dst_ip <WAN_ISP_Gateway>

    ==> Static routes would be as below.

    Destination IP: WAN_ISP_Gateway
    Netmask: Subnet mask
    Interface: WAN_Interface

    Destination IP: NIC_public_IP
    Netmask: Subnet mask
    Interface: LAG_interfacee

    ==> Ensure that firewall rules are configured to allow traffic going to and from the VM.

    ==> Check traffic on NIC_public_IP as well.

    Login to SSH > 4. Device Console

    console> tcpdump 'host NIC_public_IP

    ==> Share session output here or in PM.

    Feel free to send me a PM with configuration snapshots.

  • 0 in reply to FormerMember

    Hi Yash,

    thanks for your answer. I've configured the proxy-arp exactly like in the description. I've also used tcpdump on the XG to capture packets from the host. I did a simple ICMP request (ping) but nothing ever reached the firewall. I got 'destination not reachable' on the VM, which indicates that there is no route to the gateway, but there is.

    I'll send you a screenshot of the routing table on the VM via PM; maybe i miss an issue.

    Thanks in advance!

Reply
  • 0 in reply to FormerMember

    Hi Yash,

    thanks for your answer. I've configured the proxy-arp exactly like in the description. I've also used tcpdump on the XG to capture packets from the host. I did a simple ICMP request (ping) but nothing ever reached the firewall. I got 'destination not reachable' on the VM, which indicates that there is no route to the gateway, but there is.

    I'll send you a screenshot of the routing table on the VM via PM; maybe i miss an issue.

    Thanks in advance!

Children
No Data