03-14-2011 08:56 AM
I'm pretty new to SRX but I have configured a LOT of different firewalls from different vendors through the years. Compared to other vendors Junipers implementation of proxy-ARP is really confusing. To me Junos version of proxy-arp is really static/published arp and NOT proxy-arp. I will try to explain what I want to do and hope my terminology is understandable.
To me Proxy-arp is a function that dynamically "forwards" arp-requests between two interfaces (simplified explanation), I mainly use it to avoid masking subnets so I wont loose ipaddresses and the result is pretty much a transparent firewall on layer 2. I can not find anyway to use proxy-arp like that in Junos, is it possible?
Example (using public addresses but think of them as private):
We got a private subnet of addresses: 10.1.1.1/24 that I want to split on several different interfaces but I dont want to mask the subnet into smaller ones and route them since I would loose ip's that way and I dont want to be forced to define the arp-table beforehand with static/published arp.
Say we have the default route for that subnet on 10.1.1.254 on an interface called internet and I have two other interfaces called DMZ1 and DMZ2 and I want all of them to use the private subnet. In every other firewall I'v used I would do something like this:
Internet-interface: (bound ipaddress 10.1.1.253/24, default route 10.1.1.254)
DMZ1-interface: (no ip bound) have a client with ipaddress 10.1.1.1/24
DMZ2-interface: (no ip bound) have a client with ipaddress 10.1.1.2/24
Both clients on the DMZ interfaces are configured to use 10.1.1.254 as the default route.
I would then tell the firewall/router to proxy-arp between DMZ1 and Internet, between DMZ2 and Internet and between DMZ1 and DMZ2.
When a client on DMZ1 wants to reach the default route 10.1.1.254 the firewall/router would then do a arp-broadcast on the Internet-interface for 10.1.1.254 and then respond with its own mac-adress on the DMZ1 interface claiming the ip is bound there. The usual portfilters between the interfaces (or zones in SRX..) would then be in effect for traffic between the interfaces.
It would also be dynamic, if I attach another client on the same side as the internet interface with ip 10.1.1.200 that would automatically be proxy-arped without needing to define it in the router/firewall with a static/published arp.
I saw that Junos for EX-switches seems to have "real" proxy-arp functionality called unrestricted/restricted proxy-arp but it seems really clumsy and I cant find anything like it on the SRX.
Is there anyway to do this or something similar on SRX?
03-14-2011 02:48 PM
My definition of proxy ARP is different from Yours. Being a SCO UNIX admin in 1998, I first read about proxy ARP in the SCO paper manual - online version is here
SRX and JUNOS in general operates in exactly the same way by replying to the ARP requests with own MAC, not forwarding the ARP requests further because the uplink may not be Ethernet.
EX also operates in this mode:
When unrestricted proxy ARP is enabled, the switch responds to all ARP requests, providing the switch’s MAC address—even when the destination IP address is the same as the source IP address. Thus, all communications must be sent through the switch and then routed through the switch to the appropriate destination.
The difference is that on SRX one has to specifically configure IP addresses which need to be proxy-ARP-ed whereas on EX there is no need to do that since every ARP request is answered by the EX switch if proxy ARP is configured on EX.
P.S. As a side note, I believe You cannot use your preferred method of "same subnet on multiple interfaces" on Solaris-based Checkpoint 4/Checkpoint NG but I digress...
03-15-2011 12:45 AM
Hi, thx for the feedback.
My terminology seems wrong then, but the problem remains. I don't know if you read my whole post but I dont really mean I want to "forward" the arp-requests, that was a simplified explanation a bit further down I write "the firewall/router would then do a arp-broadcast on the Internet-interface for 10.1.1.254 and then respond with its own mac-adress on the DMZ1"
A qoute from the link you provided: "SCO PPP provides an endpoint configuration parameter called proxy for automatically putting the proxy ARP entries in the ARP mapping table" which describes what I'm trying to accomplish.
This is not possible with Junos on SRX then since I cant dynamically populate the arp-tables when proxy-arping? Is it at all possible to split up a subnet on several interfaces and transparently filtering traffic between them on SRX?
I'm currently trying to replace a setup from a different vendor that uses proxy-arp with dynamically populated arp-tables where there are several customers sharing a private c-net and they have different addresses (not in order!) of that subnet alotted and not all of them are under my control. If I have to mask the subnet down into smaller ones I would have to reissue addresses for everyone and possibly even run out of addresses..
03-15-2011 03:17 AM
Have you tried L2 transparent mode on your SRX cluster?
Transparent SRX does not do proxy-ARP though, ARP is passed unchanged/transparently between security zones/interfaces.
03-15-2011 05:07 AM
Ah, yeah I was just trying to find the documentation for transparent mode, thank you for those links, I did not think to check the bridging and switching guide.
There's one issue with transparent mode I cant get my head around:
"In transparent mode, all physical ports on the device are assigned to Layer 2 interfaces. Do not route Layer 3 traffic through the device." and " In this release, you cannot configure a device with both Layer 2 and Layer 3 security zones."
That means the whole srx would work in layer 2 only and I can not route traffic at all anymore? I still need to route and nat traffic for other networks/interfaces in the same srx...
It seems I cant really setup the srx to "rip and replace" the old system so I need to reconsider how to do this.
03-15-2011 05:20 AM - edited 03-15-2011 05:22 AM
You are correct that L2 transparent SRX cannot route traffic, at least in this JUNOS release.
the SRX Series device can function as a Layer 2 switch
You also cannot NAT on L2 transparent SRX
Note: Not all security features are supported in transparent mode: NAT is not supported. IPsec VPN is not supported. Only DNS, FTP, RSTP, and TFTP ALGs are supported. Other ALGs are not supported in this release.
03-15-2011 12:51 PM
Junos Security requires a proxy ARP configuration whenever translated traffic belongs to the same subnet as the ingress inteface. This task is not automatic an you must configure it as needed
When a network device needs to send a packet to a destination IP address using ethernet, the device sends an ARP request to obtain the L2 MAC address assosciated with the destination IP address. Once that assosciation is in place, the sending device typically stores this information in memory and subsequently addresses ethernet frames to the appropriate L2 MAC address. Without proxy ARP, if an interface receives an ARP request for an address other than its own, it ignores the packet. It assumes the packet is meant for another device attached to the same broadcast domain. Using proxy ARP, the interface acts as a proxy for the destination by replying to ARP requests on behalf of the intended destination. Packets destined for the intended destination then travel to the proxying device, which can then forward packets to the actual destinaion.
03-16-2011 02:50 PM
I don't understand exactly what you're asking for. Can you attach a topology?