Screen OS

I've just setup a new PPPoE interface in the Untrust zone, assigned with the first static IP from a public /29 range.  This works great and I can MIP/VIP incoming traffic on the additional IPs just fine to devices in the Trust zone.

I now need to route traffic on one of the public IPs to another SSG so I setup a Bgroup instead for the PPPoE connection and bound a couple of interfaces to it - one for the ISP's bridged modem and one for the other SSG.  Outgoing and incoming MIP/VIP traffic still works great but I cannot get traffic to flow between the two SSGs using their respective public IP addresses.  I've turned off Intra-Zone traffic blocking on the Untrust zone just in case.

It's clear I'm doing something wrong - can anyone help me achieve what I'm after or at least point me in the right direction.

Both are SSG140's running on 6.3.0r13.0 firmware.

Many thanks indeed.

Hi,

How are you testing the reachability between 2 FWs?

Can the FWs learn arp entry for each other's IP address?

Thanks.

Hardeep

Hi Hardeep,

Initially just a crude ping.  It seems the first SSG (doing the PPPoE connection) can learn the MAC address of the second SSG but not the other way round.  The second SSG simply shows this in it's ARP table;

xxx.xxx.29.41  000000000000       trust-vr/eth0/5    PND     0      2       3

 I've tried a Windows PC in place of the second SSG and the same thing happens - it shows a physical address of 00-00-00-00-00-00 of type 'invalid' in the ARP list.

I've attached the config file of the first SSG if it helps at all.  Very grateful for any assistance.

Many thanks,

Attachment(s)

ssg_pppoe_config.txt   4 KB 1 version

Hi,

This looks a bit strange.
The second firewall should atleast learn the arp entry.
As the behavior is same even if the second FW is replaced with a computer, it would help if we can run a arp related debug on the firewall FW to see if it gets a arp request from the second FW or the windows PC (if it is connected instead of 2nd FW)

1. undebug all
2. clear db
3. debug arp all
4. initiate ping from 2nd FW
5. undebug all
6. get db st

check if you get any arp request from 2nd FW.
If you are using a PC instead of 2nd firewall, try running wireshark and see if you can look for arp activity.

Hope this helps.

Thanks.
Hardeep

Hi Hardeep,

Thanks for your help again but I think I've found the way to do it.  You basically configure an additional interface with another of your public IP addresses (in the same range as the static IP on the PPPoE interface) but place it in a different zone (I used DMZ); remembering to disable subnet conflicts on the VRouter.  You then create appropriate policies to allow traffic between the Trust and DMZ zones.

This works but there seems to be some drawbacks (at least to me);

1 - Devices in the DMZ zone can never contact the static IP address on the PPPoE interface

2 - You end up using up two of your public IPs on the PPPoE device

3 - Increased policy administration

4 - It seems like an ugly fudge

It would be much nicer if you could simply add interfaces to the same PPPoE BGroup but alas it seems that doesn't work.  I was aiming to get rid of a seperate ISP supplied modem and handle it all on my SSGs but I'm not sure I will now, especially as won't be gaining an IP in the process.

Thanks for your responses though, much appreciated.

Thanks,

Zinc

EDIT - Another drawback - bandwidth throughput on the DMZ interfaces is much lower.  Using speedtest.net I get 75/15 mbps (down/up) on my Untrust PPPoE interface but only 42/4.5 mbps on the DMZ ones.  Back to the ISP modem I think.