Barracuda NG Firewall

Barracuda NG Firewall



5.4 5.2

 


How to Create Proxy ARP Objects

Last update: Monday, 13. May 2013

With Proxy ARP objects, you can configure the Barracuda NG Firewall to answer ARP requests on behalf of a requested interface, accept packets, and correctly forward packets. Proxy ARPs are like additional IP addresses that the firewall responds to when it receives an ARP request. Use Proxy ARP addresses for redirecting and mapping in firewall rulesets, if they are in the same address space as the source of a connection request. You can also use Proxy ARP objects for bridging.

Do not create Proxy ARPs in address spaces where the firewall IP address is configured as the gateway IP address.

You can create a Proxy ARP object as a standalone object or with a connection object. However, the Proxy ARP object is then dependent on the connection object; if the connection object is deleted, the Proxy ARP object is also deleted.

Configure a Proxy ARP Object

You can define up to 256 Proxy ARP entries on the Barracuda NG Firewall. This limitation exists for the numbers of entries, not for the number of IP addresses.

  1. Log into the Barracuda NG Firewall.
  2. Click the Status tab.
  3. In the Services table, click Configuration.
  4. On the Simple Config page, click Ruleset in the Operational Configuration table.
  5. From the Configuration menu in the left navigation pane, select Proxy ARPs.
  6. To create a Proxy ARP object, right-click the table and select New.
  7. To edit a Proxy ARP object, double-click it.
  8. In the Edit/Create a Proxy ARP Object window, specify the settings for the Proxy ARP object.  

    Example - Edit/Create a Proxy ARP Object window:

    proxy_arp.jpg

    You can specify the following settings:

    SettingDescription

    Network Address

    You can enter a single IP address or a complete network.

    Description

    Description of the Proxy ARP object.

    Standalone

     To let the Proxy ARP object exist without a referring object (such as a connection object), select this check box. Otherwise, the Proxy ARP object is deleted if the referring object is deleted. The Standalone setting is enabled by default.

    Primary Network Interface

    Interface that is used when responding to an ARP request. You can either enter a specific network interface (for example, eth1), or select one of the following options:

    • match (default) - ARP requests are answered via the interface that hosts the network.
    • any - ARP requests are answered via any interface.

    Additional Interfaces

    Additional interfaces that are used when responding to ARP requests. Make sure that you only enter interfaces that do not conflict with the primary network interface. You can enter a space-delimited list of interfaces.

    Exclude Networks

    Network addresses that should be excluded from a complete network that is entered in the Network Address field. You can enter a space-delimited list of addresses.

    Source Address Restriction

    Network addresses that must be used as the source IP address when responding to ARP requests. You can enter a space-delimited list of addresses.

    Introduce Route on Interface

    For bridging setups only. Read-only field that displays the bridging interface route (see: Bridging Deployment).

    Send Unsolicited ARP

    To configure the firewall to also propagate specified IP addresses through ARPs, select this check box. The Send Unsolicited ARP setting is enabled by default.

    Unsolicited ARPs can only be sent if the corresponding network interface has an active IP address. The status of the IP address is only verified when the forwarding firewall starts up, such as during an HA takeover or when the firewall ruleset changes. The status of the IP address is not verified if the network interface changes into state "up" or if a pending route becomes active, such as when a server IP address is introduced. In this case, only the Proxy ARP is introduced to answer incoming ARP requests.

  9. Click OK.
  10. Click Send Changes and then click Activate. 

Create a Proxy ARP Object with a Connection Object

To create a Proxy ARP object with in the configuration of a connection object, select the Create Proxy ARP check box. For more information on creating on a connection object, see How to Create Connection Objects.

If the Proxy ARP object must exist independently of the connection object, select the Standalone check box in the Proxy ARP configuration window. With the Standalone setting enabled, the Proxy ARP object remains functional even when the referenced connection object is deleted. For more information, read the above section.


Feedback
If you have a technical issue with the product, please contact Barracuda Networks Technical Support. Did you find this article helpful: |