Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎06-30-2021 07:46 AM

Article Id 192170

Technical Tip: VIP on EMAC-VLAN interface responds with Parent interface MAC address

Description
This article describes that if VIP configured on EMAC-VLAN , FortiGate instead of responding with EMAC-VLAN interface MAC address uses parent-interface MAC address.

Explanation.

Consider an example where traffic is generated as follow:

Source IP address: 192.168.1.20
Destination IP address: 192.168.1.30

FortiGate has the following EMAC-VLAN configured:
# config system interface
    edit "emac-FGT"
        set vdom "root"
        set ip 192.168.1.30 255.255.255.0
        set allowaccess ping https ssh http
        set type emac-vlan
        set snmp-index 13
        set interface "Uplink"
    next
end
There is a VIP also configured having the same external IP as EMAC-VLAN interface.
# config firewall vip
    edit "VIP-192.168.1.30_rdp"
        set extip 192.168.1.30
        set extintf "any"
        set portforward enable
        set mappedip "192.168.10.2"
        set extport 3389
        set mappedport 3389
    next
end
When traffic initiates from source IP 192.168.1.20 to access 192.168.1.30 for SSH access, FortiGate responds with the MAC address of parent interface "Uplink"

Uplink in arp who-has 192.168.1.30 tell 198.51.100.3
Uplink out arp reply 192.168.1.30 is-at c:2:5:50:e4:0              <----- Different MAC address.
port1 out arp reply 192.168.1.30 is-at c:2:5:50:e4:0

emac-FGT in arp who-has 192.168.1.30 tell 198.51.100.3
emac-FGT out arp reply 192.168.1.30 is-at 12:2:5:50:e4:0      <----- Different MAC address.

Since the connecting unit gets the first response from parent interface Uplink, connectivity fails.

Solution
It is possible to implement two solutions to fix this issue and avoid any connectivity problems in such a scenario. This has to do with the configuration of VIP.

1) Use the exact interface on which VIP is configured.
# config firewall vip
    edit "VIP-192.168.1.30_rdp"
        set extip 192.168.1.30
        set extintf "any"                  <----- Replace this with 'emac-FGT'.
        set portforward enable
        set mappedip "192.168.10.2"
        set extport 3389
        set mappedport 3389
    next
end
2) Disable arp-reply in VIP.
# config firewall vip
    edit "VIP-192.168.1.30_rdp"
        set extip 192.168.1.30
        set extintf "any"
        set arp-reply disable              <----- Disable it.
        set portforward enable
        set mappedip "192.168.10.2"
        set extport 3389
        set mappedport 3389
    next
end

Labels:
1345
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.