You can configure the Barracuda CloudGen Firewall to answer ARP requests on behalf of a remote interface. It can then accept packets and correctly forward packets to the remote host. Proxy ARPs can be treated like additional IP addresses that the firewall responds to when it receives an ARP request. If proxy ARP addresses are in the same address space as the source of a connection request, use them for redirecting and mapping in firewall rule sets. You can also use proxy ARP objects for bridging.
You can create a Proxy ARP object as a standalone object or in combination with a connection object. However, the proxy ARP object is then dependent on the connection object; if the connection object is deleted, the proxy ARP object is also deleted.
Create a Proxy ARP Object
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
- In the left menu, expand the Firewall Objects section and click Proxy ARPs.
- Click Lock.
- Right-click the main pane and select New.
In the Edit/Create a Proxy ARP Object window, configure the settings for your proxy ARP object:
Network Address – Enter a single IP address or a complete network.
- Standalone – To let the proxy ARP object exist without a referring object (such as a connection object), select this check box. Otherwise, the proxy ARP object is deleted if the referring object is deleted. The Standalone setting is enabled by default.
Primary Network Interface – Interface that is used when responding to an ARP request. You can either enter a specific network interface (e.g., eth1), or select one of the following options:
- match (default) – ARP requests are answered via the interface that hosts the network.
- any – ARP requests are answered via any interface.
- Additional Interfaces – Additional interfaces that are used when responding to ARP requests. Only enter interfaces that do not conflict with the primary network interface. You can enter a space-delimited list of interfaces.
- Exclude Networks – Network addresses that sare from the network entered in the Network Address field. Enter a space-delimited list of addresses to exclude multiple IP networks.
- Source Address Restriction – Network addresses that must be used as the source IP address when responding to ARP requests. Enter a space-delimited list of source addresses.
- Introduce Route on Interface – Read-only field that displays the bridging interface route when using the proxy ARP for bridging. For more information, see Bridging.
Send Unsolicited ARP – To configure the firewall to propagate specified IP addresses through ARPs, select this check box. The Send Unsolicited ARP setting is enabled by default.
- Click Send Changes and Activate.