How to add NATs and ARPs on Gaia with VRRP
Contents |
add NAT rules
Step 1 - Add automatic or manual static NATs in the ruleset as normal.
configuring proxy ARP
Automatic arp is not compatible with firewalls using VRRP for HA. This is because Automatic arp is meant for CPHA or standalone firewalls. It publishes unicast MACs, whereas VRRP operates with multicast MACs.
Step 2 - Disable Automatic ARP in your policy (global properties, NAT) if it isn't already
2) Set up manual proxy ARPs for all your NAT IPs. Use the VRRP MAC for these.
configure manual proxy ARPs on Gaia by adding an entry to the file /etc/fw/conf/local.arp
where the entry format is
nat_ip vrrp_mac firewall_unicast_interface_ip
example entry
192.168.100.100 00:00:5e:00:01:0A 192.168.100.1
the proxy arp will take effect upon the next policy installation
Determining you firewall's VRRP MAC
[Expert@mygaiafw]# clish -c "show vrrp interfaces" | grep -m 1 VMAC VMAC Mode: VRRP VMAC: 00:00:5e:00:01:0a
so 00:00:5e:00:01:0a is the VRRP MAC or VMAC. It is determined by the formula...
VMAC = 00:00:5e:00:01:XX, where XX = your VRRP VRID in HEX
verifying proxy arps
to make sure the firewall is publishing your newly added proxy arp, run...
# fw ctl arp
you should see the new entry in the output