Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 9224 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridge mode ARP replies not received

Kevin Rice

I'm trying to set up SFOS 17.03 MR3 as a bridge behind another device purely for the purpose of utilizing its web filtering, app control, etc. However, I'm unable to ping from the XG to the default gateway of the upstream device. It doesn't look like the XG instance is seeing the arp-replies back from the upstream box. I do see the arp-replies being sent from the upstream box. I don't believe they're being blocked from the source. I do have the two firewall rules to allow for traffic between the LAN and WAN zones. However, it's non-masqed and the bridge interface doesn't have routing enabled. Any ideas as to why the ARP replies aren't being seen? Would that be why ping wouldn't work?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    I added a LAN to LAN rule and enabled routing on the bridge-pair. However, the gateway interface still shows as in the red. The other two firewall rules in place allow for all WAN to LAN traffic and all LAN to WAN traffic. It doesn't appear to matter whether or not the LAN to WAN rule is set to masquerade traffic or whether or not the WAN to LAN rule has a gateway set either. Any other ideas as to what else might need to be changed?

  • 0 in reply to Kevin Rice

    Kevin, check XG log viewer and make sure to enable ping on Administration > Device Access.

    Regards

  • 0 in reply to lferrara

    The log viewer doesn't really reflect anything that stands out in any of the logs. PING / PING6 is already enabled for the WAN zone. This is all being bench tested in VirtualBox. I'm going to try breaking the bridge to get the DHCP range for the NAT interface, rebuild the bridge and assign it a static IP in the VirtualBox NAT DHCP range to see if its the other Vm appliance that might be interfering with the ping. Although, I can sit another client OS directly behind the other appliance and it works like a champ.

  • 0 in reply to Kevin Rice

    Kevin,

    did you enable the promiscous mode on Virtual Box?

    Thanks

  • 0 in reply to lferrara

    Not until now. However, that was what was needed. I set both interfaces associated with the XG VM to Allow All. It worked! :) Although, I don't understand why its needed. Shouldn't it be able to interact using standard L2/L3 protocols without needing to go promiscuous?

  • 0 in reply to Kevin Rice

    No. Promiscous mode is needed so the Firewall, VM, Appliance listen to traffic and are able to capture/analyze and so block traffic.

    Regards