How To Implement Transparent Subnet Gateways using Proxy ARP

Applicable Version: 10.00 onwards

ARP (Address resolution protocol is a protocol that TCP/IP uses to translate IP address into MAC address (physical network address). It is used by hosts that are directly connected on a local network and uses either or both unicast and broadcast transmissions directly to each other. Host finds the physical address of another host on its network by sending an ARP query packet that includes the IP address of the receiver. But, when host A and host B are separated by a border device (a device connection two networks) such as router, Host A and Host B have to communicate via router/firewall because they are not considered as local host for each other but are two hops apart at layer three for each other. Above situation will arise in a network environment where there are two physical network connected by a router that are in the same IP network. Since ARP relies on broadcasts for address resolution, and broadcasts are not propagated beyond a physical network, ARP cannot function between hosts on different physical networks. When such operation is required, a device, such as a router/firewall, can be configured as an ARP proxy to respond to ARP requests on the behalf of a host on a different network. Proxy ARP is a technique of using a router to answer ARP requests. In other words, the router accepts responsibility of routing packets to the "real" destination. Proxy ARP can help hosts on a subnet reach remote subnets without the need to configure routing or a default gateway.

Transparent subnet gatewaying

The most straightforward way of addressing the above issue is to subnet a gateway transparently using Proxy ARP. A network can be extended using this technique without the knowledge of the upstream router. In other words, Transparent subnet gatewaying is a setup that involves two physical segments sharing the same IP subnet and connected together via a router.

Deployment:
Consider a hypothetical example where Cyberoam needs to be deployed in a network which consists of Mail server and Web server placed in the Internet and a router sharing the same IP subnet. Below given network diagram shows how Cyberoam is deployed in the network. As router and internal servers share the same IP subnet to avoid the above mentioned routing problems, we have deployed Cyberoam between Internal network and Router. As per the diagram Mail server, Web server is having public IP address and configured in DMZ zone, where as Router is configured in WAN zone with same subnet IP address. Throughout the article we will use the network parameters as shown in the diagram below.

How To Implement Transparent Subnet Gateway Using Proxy ARP

Configuration
Follow the below mentioned steps to implement transparent subnet gateways using Proxy ARP:

Step 1: Create and Assign IP address to DMZ zone

Login to Web Admin Console with user having Administrator profile. Create Interface Go to Network Interface Interface. Click the Interface Name or Edit icon column against the interface to be modified. in the Manage

How To Implement Transparent Subnet Gateway Using Proxy ARP

Parameters Description Parameters Physical Interface Network Zone IP Assignment Value PortC DMZ Static Description Physical Interface for PortC Select Zone to which Interface belongs Select IP Assignment type Available Options: Static Static IP Addresses are available for all the zones PPPOE PPPOE is available only for WAN Zone. If PPPoE is configured, WAN port will be displayed as the PPPoE Interface DHCP DHCP is available only for WAN Zone

IP Address Netmask Primary DNS Secondary DNS 10.10.1.1 /29(255.255.255.248) 4.2.2.2 8.8.8.8

Specify IP Address Specify Network Subnet mask Configure Primary DNS server IP address Configure address Secondary DNS server IP

How To Implement Transparent Subnet Gateway Using Proxy ARP

Click OK and the Interface PortC will be updated successfully.

Step 2: Change physical network

Change the physical location of Web and Mail servers from WAN Zone to DMZ zone. By changing the physical location one does not need to change Server IP Address.

Step 3: Enable proxy ARP and create Static Route Entries

Enable proxy ARP entries for DMZ and WAN interface from CLI Console WAN and DMZ interface must be configured to accept and respond to Proxy ARP. 1. Login to CLI Console. 2. Go to Option 4 Cyberoam Console and execute the below mentioned command: console> set proxy-arp add interface PortB dst_ip 1.1.1.3 console> set proxy-arp add interface PortB dst_ip 1.1.1.4 console> set proxy-arp add interface PortC dst_ip 1.1.1.1

3. To verify the configuration, use the below mentioned command: console> show proxy-arp

How To Implement Transparent Subnet Gateway Using Proxy ARP

Create Static Routes for DMZ and WAN Interface Static route provides next hop information to Cyberoam. Go to Network Static Route Unicast and click on Add button to add a new static route.

Parameters Description Parameters Destination IP Netmask Interface Value 1.1.1.1 /32(255.255.255.255) Port B 1.1.1.2 Description Specify Destination IP Address Specify Subnet Mask Select Interface from the list including Physical Interfaces, Virtual Subinterfaces and Aliases Specify Distance for routing. Range of value is from 0 to 255

Distance

Click OK and the Unicast Route will be added successfully.

How To Implement Transparent Subnet Gateway Using Proxy ARP

Note: Gateway is not needed. Interface is sufficient. In this document one Unicast Route has been added and shown. Similarly 2 more Unicast Routes are to be added.

Step 4: Create Firewall Rules to Allow Web and Mail Server Traffic
By default, Cyberoam blocks entire WAN-DMZ zone traffic, so create firewall rules to allow to and from traffic from web server & mail server. Go to Firewall Ruleand Create the following Rules: LAN to DMZ rule to allow access from internal network to Mail and Web server. WAN to DMZ rule to allow access of Web and Mail server from external world. DMZ to WAN rule to allow the access of the Internet from Web and Mail server.

LAN to DMZ rule to allow access from internal network to Mail and Web server Go to Firewall Rule and Click on Add button to add a LAN_DMZ_ProxyARP Firewall Rule.

Parameters Description Parameters Name Zone Network/Host Services Value LAN_DMZ_ProxyARP Source LAN Destination - DMZ ProxyARP Any Description Specify name to identify the Firewall Rule Specify source and destination zone to which the rule applies Specify source and destination host or network address to which the rule applies Services represent types of Internet data transmitted via particular protocols or

How To Implement Transparent Subnet Gateway Using Proxy ARP

applications. Select service/service group to which the rule applies Select Schedule for the rule Select rule action Available Options: Accept Allow access Drop Silently discards Reject Denies access and ICMP port unreachable message will be sent to the source Select the NAT policy to be applied It allows access but after changing source IP address i.e. source IP address is substituted by the IP address specified in the NAT policy.

Schedule Action

All the time Accept

Apply NAT (Only if Action is ACCEPT)

Disabled

How To Implement Transparent Subnet Gateway Using Proxy ARP

Click OK and the Host ProxyARP will be added successfully.

Click OK and the Firewall Rule will be created successfully.

How To Implement Transparent Subnet Gateway Using Proxy ARP

Note: In this document one Firewall Rule LAN_DMZ_ProxyARP has been added and shown. In the same way 2 more Firewall Rules i.e WAN_DMZ_ProxyARP and DMZ_WAN_ProxyARP are to be added.

Advantages
With the help of Transparent Subnet Gatewaying, once can enable security for mission critical servers like Mail, Web, SAP, ERP without any configuration changes, Routing changes with minimum downtime. Document Version: 1.208/11/2012