It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Layer 3 Bridging

  • Last updated on

Layer 3 bridging is best used for client and server groups that include just a few clients that usually communicate with machines in their group. The bridge consists of two proxy ARPs and a firewall rule to pass traffic back and forth. If you want to bridge multiple clients, use a routed transparent Layer 2 bridge instead.

  • All network traffic is delivered using Layer 3 (routing) lookups.
  • All bridged network nodes must be entered into the configuration.
  • Bridging is NOT Layer 2 transparent; the source MAC is not propagated in connection requests.
  • Traffic between routed and bridged destinations is forwarded.
  • Bridged network nodes may (if allowed) locally communicate with the interface. 

An example setup that would be appropriate for layer 3 bridging would be if one PC in the network must be separated from the other clients and protected by the firewall. The PC that is to be singled out is placed in its own small network (e.g., 10.0.8.160/29) and the firewall acts as a non-transparent translational bridge between the 10.0.8.0/24 and the 10.0.8.0/29 networks. The Barracuda CloudGen Firewall will answer all ARP requests that are transmitted between the networks.

fw_layer3_bridge.png

Before You Begin

Assign an IP address to each network interface of the CloudGen Firewall that you want to use for the bridge. (CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties).

Make sure that these IP addresses are introduced on the box as Additional IP or in the routing table.

Step 1. Create a Network Object for the Client PC

Create a network object for the clients that should be bridged:

  1. Go to CONFIGURATION  > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Create a network object for the clients that must be bridged.
  4. In the IP/Ref table, add the IP address of the client:
    FW_Layer3Bridge_01.png
  5. In the Bridging Parameters window, edit the following settings:
    • Interface Addresses Reside - Enter the network interface that points to the bridged clients. For example, enter eth1.
    • Parent Network - Enter the parent network address. E.g., 10.0.8.0/24
    • Select the Introduce Routes and Restrict PARP to Parent Network check boxes. 
      parp.png
  6. Click OK.
  7. Click Send Changes and Activate.

You now have a network object for the client that you can use when creating the layer 3 bridge.

Step 2. Create Proxy ARP Objects

To make sure that ARP requests are answered on the interface for the new network, create a proxy ARP object for the bridging parent network and bridged clients.

  1. Go to CONFIGURATION  > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Create a proxy ARP object for the bridging parent network. E.g., 10.0.8.0/24

    FW_Layer3Bridge_02.png

  4. Create a proxy ARP object for the bridged client. E.g., 10.0.8.162. (optional) Restrict the source IP addresses of the proxy ARP object to the bridging parent network.

    FW_Layer3Bridge_03.png

  5. Click Send Changes and Activate.

Step 3. Create Access Rules for Layer 3 Bridging

To allow network traffic to pass between the bridged interfaces, create Pass and Broad-Multicast access rule for every bridged interface group.

  1. Go to CONFIGURATION  > Configuration Tr ee > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock
  3. Create a pass access rule with the following settings:
    • Action – Select Pass.
    • Bi–Directional – Select the check box.
    • Source – Select Any (0.0.0.0/0).
    • Service – Select Any.
    • Destination – Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24
    • Connection Method – Select Original Source IP.
  4. Create a Broad–Multicast access rule with the following settings:
    • Action – Select Broad-Multicast.
    • Source – Select a network object containing all networks or IP addresses for the bridged interfaces. E.g., 10.0.8.0/24
    • Service Select Any.
    • Connection Method – Select Original Source IP.
    • Destination –Enter the destination networks/IP addresses. E.g., 10.0.8.255

      To use a DHCP server over the bridge, also add 0.0.0.0 to the source and 255.255.255.255 to the destination IP addresses.

    • Broad Multicast - Propagation List – Enter the propagation interface or IP address(es). E.g., eth0,eth1:10.0.8.167

  5. Rearrange the order of the access rules so the new rules can match incoming traffic.
  6. Click Send Changes and Activate.

You can now use the separated PC as if it were on the same network with the exception that the MAC address of the PC will be replaced by the MAC of the CloudGen Firewall when traversing the bridge.