Proxy ARP option on USG to work like L3 switch

PeterUK
PeterUK Posts: 4,080 image  Guru Member
250 Answers 2500 Comments Friend Collector Eighth Anniversary

This was tested on my VPN300 but likely holds true for current models

The following setup works on my XS1930-10

XS1930-10 interface IP 192.168.255.233 / 255.255.255.192

Two clients
IP 192.168.255.193
subnet 255.255.255.255
gateway 192.168.255.233

IP 192.168.255.194
subnet 255.255.255.255
gateway 192.168.255.233

As the subnets of the clients is 255.255.255.255 it can only ARP to the gateway never to each other but due to XS1930-10 when you ping 192.168.255.194 from 192.168.255.193 it works.

on VPN300 with interface general 192.168.255.247 / 255.255.255.192 and proxy ARP 192.168.255.193-192.168.255.194

Two clients
IP 192.168.255.193
subnet 255.255.255.255
gateway 192.168.255.247

IP 192.168.255.194
subnet 255.255.255.255
gateway 192.168.255.247

The clients try to ping each other they go to the VPN300 gateway but the proxy ARP does not work the same way as L3 switch.

1 votes

Active · Last Updated

Comments

  • Zyxel_Tina
    Zyxel_Tina Posts: 268 image  Master Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 50 Answers First Comment

    Hi @PeterUK,

    Thank you for sharing this idea and for providing such a detailed test scenario.
    We understand your point — on the XS1930 L3 switch the gateway interface can handle the ARP and forwarding in a way that allows two clients to communicate, while on the VPN300 with proxy ARP does not behave in the same way.

    We really appreciate your input and the time you spent testing this behavior.

    However, since the VPN300 has already reached End of Life, we are unable to make changes or add new features on this model.

    Zyxel Tina

  • PeterUK
    PeterUK Posts: 4,080 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    Yes I know the VPN is EOL but the idea is for current models.

    The idea would work if the DHCP server give out subnet 255.255.255.255 to client this would then force client to go to the gateway only and to connect to each other you can then firewall/BWM between clients on a LAN to LAN setting.