 |
|
Introduction This document explains the concept of a transparent firewall and provides the required configurations for setting up the ENPAQ as a transparent firewall. Introducing a firewall into a network usually involves changing the network IP addresses, reconfiguring the client machines to point to the correct network gateway and so on.
Proxy ARP is the technique in which one host, usually a firewall, answers ARP requests intended for another machine. Faking its identity, the firewall accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway. The ENPAQ Unified Gateway supports these functions and can serve as a transparent firewall, with minimal effort. Scenario 1 – Transparent firewall for entire LAN In this scenario, the ENPAQ is used a transparent firewall, for an entire subnet – this is equivalent to a global enable of ARP on the physical interface.
With the setup as the figure above, there are just three steps involved in this configuration:
For example, assume that the Leased Line (LL) router LAN side interface IP address is 192.168.1.1/24 and the LAN hosts are in the subnet. The LAN hosts use the LL router as their gateway. The LAN interface on the ENPAQ is configured with a free IP in the subnet, say 192.168.1.2/24. Since this is a transparent setup, the WAN interface on the ENPAQ will have the same IP address, but with a different mask – 192.168.1.2/32. On the WAN interface of the ENPAQ, Proxy ARP is enabled. This enables the ENPAQ to respond to ARP requests from the WAN side and proxy them for the LAN clients. When the LAN hosts perform an ARP request for their gateway’s MAC address (the LL router), the ENPAQ acts as a proxy for this address.
Additionally, in the setup for the WAN interface, address translation (NAT) has to be turned off. The firewall policy has to be setup to accept connections from the WAN to the LAN. This completes the setup for the transparent firewall.
Turn on Proxy ARP on the LAN interface, as shown below.
The interesting part of the transparent firewall setup is that packet filtering can be turned on for connections between WAN and LAN hosts. For example, a web proxy or email proxy can be turned on the ENPAQ. In this scenario, with the gateway of the LAN hosts set as the LL router, the ENPAQ acts as a transparent firewall. This setup cannot perform load balance and failover functions, but QoS can be enabled. If the LAN hosts use ENPAQ as the gateway (192.168.1.2), the networking functions can be utilised. Scenario 2 – Transparent firewall for specific LAN hosts Very often, a firewall needs to be configured only for specific hosts in a network. An example is a set of servers in a LAN, which are assigned public IPs but need a firewall for preventing unauthorised access and break-ins. In this scenario, it is not useful to have the entire subnet or interface participate in the proxy ARP. The ISP has assigned a bunch of public IP addresses to the link. These IP addresses are configured, using the IP Alias function, to the WAN interface of the ENPAQ.
For enabling this scenario, the firewall in the ENPAQ has a support for proxy ARP, for specific hosts.
Finally, the NAT for outgoing connections from this server have to be disabled.
Conclusion ENPAQ supports advanced networking functions that can be useful for different kinds of network setup. Elina network engineering team is available for partners and customers for assistance in network design and setup. |
A transparent firewall configuration is useful when such a network reconfiguration is not possible or when only a gateway Anti-Virus/Anti-Spam or Web Proxy is required. In such a situation, the firewall should support features like Proxy ARP, disabling NAT functions, policy changes on packet forwarding and the ability to firewall connections between these interfaces.
This scenario is typically seen in a large MPLS network where there is a need for a firewall at each location to restrict usage of the MPLS network. For example, with a non-firewalled MPLS network, the chance of a virus outbreak across the organization is very high. When such a firewall is introduced in the network, changing the IP addresses of the LAN requires a global change of routing rules across the network – which would be impossible to convince a network administrator about.
A server in the LAN is configured with one of these public IP address and is required to be accessed directly from the Internet. Also, outgoing connections from this server should not be NAT-ed.
