Proxy ARP for internal use double packet TTL.

PeterUK
PeterUK Posts: 3,326  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited April 2021 in Security

So Proxy ARP is for external use but I have a use for it for internal use with WAN 2 IP.

192.168.255.50

255.255.255.240

Proxy ARP

192.168.255.48/28

firewall from WAN to WAN allow rule

I have a PC1(port 18) and PC2 (port 17) connected to a VLAN that sends untagged packets on setup by GS2210-24.

VLAN 13

Port 15 fixed untagged

port 17 forbidden

port 18 fixed tagged

VLAN 14

Port 15 fixed untagged

port 17 fixed tagged

port 18 forbidden

VLAN 15

Port 15 fixed tagged

port 17 fixed untagged

port 18 fixed untagged

PVID 15 port 15

PVID 14 port 17

PVID 13 port 18

Port 15 to WAN 2 port ZyWALL 110.for proxy arp with PC1 and PC2 can not arp each other so that the WAN of the proxy arp replies to each PC that PC1 to go to PC2 is at WAN 2 MAC ZyWALL 110.and PC2 to go to PC1 is at WAN 2 MAC ZyWALL 110.

So this all works but there are issues with it seeing double packet which is odd to explain but have Wireshark it to show whats going on by ICMP.

Comments

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2018

    Proxy ARP only seems to work with this setup but there are issues with the VLAN setup I posted and there are connection time outs and if you look at Wireshark PC1 and PC2 you see double packet which means port based VLAN has to be used and PC1 and PC2 does not show double packet when using a port based VLAN setup.

    Wireshark from ZyWALL 110

    PC1

    PC2

    PC1timeout


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK

    Per our discussion in forum, The double packets is coming from USG forwards packets to correct destination.

    So that’s why you will see double packets exist in your environment,

    Here is the packets from USG WAN interface:


    No.24 packet, ICMP request from 192.168.255.55 to 192.168.255.53.
    Source MAC is xx:xx:xx:xx:3d:36, Destination MAC is: ZyWALL.
    (Due to proxy ARP reason, so destination MAC is replaced as ZyWALL)

    No.25 packet, ICMP request from 192.168.255.55 to 192.168.255.53.
    Souce MAC is ZyWALL, Destination MAC is xx:xx:xx:xx:1b:e7
    (ZyWALL forwarding request to PC#2, so replaced source MAC address, TTL=63)

    No.28 packet, ICMP reply from 192.168.255.53 to 192.168.255.55.
    Souce MAC is xx:xx:xx:xx:1b:e7, Destination MAC is ZyWALL.
    (Due to proxy ARP reason, so destination MAC is replaced as ZyWALL)

    No.30 packet, ICMP reply from 192.168.255.53 to 192.168.255.55.
    Source MAC is ZyWALL, Destination MAC is xx:xx:xx:xx:3d:36.
    (ZyWALL forwarding reply to PC#1, so replaced source MAC address, TTL=63)

    The proxy ARP function will help to forwarding the packets again, so TTL will became 63. And that's why it has double ICMP request and reply in packet capture.


Security Highlight