Proxy ARP for internal use double packet TTL.
So Proxy ARP is for external use but I have a use for it for internal use with WAN 2 IP.
192.168.255.50
255.255.255.240
Proxy ARP
192.168.255.48/28
firewall from WAN to
WAN allow rule
I have a PC1(port 18) and PC2 (port 17) connected to a VLAN that sends untagged packets on setup by GS2210-24.
VLAN 13
Port 15 fixed untagged
port 17 forbidden
port 18 fixed tagged
VLAN 14
Port 15 fixed untagged
port 17 fixed tagged
port 18 forbidden
VLAN 15
Port 15 fixed tagged
port 17 fixed untagged
port 18 fixed untagged
PVID 15 port 15
PVID 14 port 17
PVID 13 port 18
Port 15 to WAN 2 port
ZyWALL 110.for proxy arp with PC1 and PC2 can not arp each other so
that the WAN of the proxy arp replies to each PC that PC1 to go to PC2 is at WAN 2
MAC ZyWALL 110.and PC2 to go to PC1 is at WAN 2 MAC ZyWALL 110.
So this all works but
there are issues with it seeing double packet which is odd to explain
but have Wireshark it to show whats going on by ICMP.
Comments
-
Proxy ARP only seems to work with this setup but there are issues with the VLAN setup I posted and there are connection time outs and if you look at Wireshark PC1 and PC2 you see double packet which means port based VLAN has to be used and PC1 and PC2 does not show double packet when using a port based VLAN setup.
Wireshark from ZyWALL 110
PC1
PC2
PC1timeout
0 -
Hi @PeterUK
Per our discussion in forum, The double packets is coming from USG forwards packets to correct destination.
So that’s why you will see double packets exist in your environment,
Here is the packets from USG WAN interface:
No.24 packet, ICMP request from 192.168.255.55 to 192.168.255.53.
Source MAC is xx:xx:xx:xx:3d:36, Destination MAC is: ZyWALL.
(Due to proxy ARP reason, so destination MAC is replaced as ZyWALL)
No.25 packet, ICMP request from 192.168.255.55 to 192.168.255.53.
Souce MAC is ZyWALL, Destination MAC is xx:xx:xx:xx:1b:e7
(ZyWALL forwarding request to PC#2, so replaced source MAC address, TTL=63)
No.28 packet, ICMP reply from 192.168.255.53 to 192.168.255.55.
Souce MAC is xx:xx:xx:xx:1b:e7, Destination MAC is ZyWALL.
(Due to proxy ARP reason, so destination MAC is replaced as ZyWALL)
No.30 packet, ICMP reply from 192.168.255.53 to 192.168.255.55.
Source MAC is ZyWALL, Destination MAC is xx:xx:xx:xx:3d:36.
(ZyWALL forwarding reply to PC#1, so replaced source MAC address, TTL=63)
The proxy ARP function will help to forwarding the packets again, so TTL will became 63. And that's why it has double ICMP request and reply in packet capture.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight