Hi Kenny, Thanks for your advice. Hope you won't get mad at me for posting your reply to the list, but I think it's a good idea and it's worth sharing.
I would like to take it further: my ISP is providing me with a small subclass, and I can't split it into two because I would lose too many addresses, not to mention migration/DNS issues. I think I could reconfigure my external firewall interfaces with a private network (say 10.1.1.0/24), configuring routers accordingly, routing all my public addresses to the firewalls by means of a static route on routers. This would work around ARP issues, with only a side effect that maybe could prevent me from applying: I couldn't attach a machine on the segment between firewalls and routers to get on the internet directly (I sometimes do it for troubleshooting purposes). Thanks again ----- Original Message ----- From: "Kenny Jansson" <[EMAIL PROTECTED]> To: "Not Available" <[EMAIL PROTECTED]> Sent: Thursday, April 29, 2004 3:54 PM Subject: Re: [FW-1] A deadly cocktail: ClusterXL and Proxy ARP > You can avoid ARP alltogether if you do it like so: > > I assume you have a set of public addresses assigned > by your ISP, lets call that x.x.x.0/24 > > And you have your firewall configured with IP x.x.x.1 > and ISP router with x.x.x.2 > > And then you try to proxy arp and NAT for addresses > like x.x.x.12, x.x.x.13 and so on. > > Consider splitting the x.x.x.0/24 into two /25's > > this involves changing the netmask on both the firewall > and the router to 255.255.255.128 instead of 255.255.255.0 > > Now you have a new network that we can call y.y.y.128/25 > > In your router, add a route that says > > destination:y.y.y.128/25 use gw:x.x.x.1 > > Now you can use your y.y.y.128/25 addresses without involving > ARP at all... > > G'luck > > /Kenny > -- > Kenny Jansson [EMAIL PROTECTED] > Sentor AB, Orphei Dr�ngars plats 1,753 11 Uppsala, Sweden > phn: +46 (0) 18 65 30 00 | gsm: +46 (0) 70 757 30 01 > > > > On Thu, Apr 29, 2004 at 02:27:47PM +0200, Not Available wrote: > > Hi all, > > > > two old enemies are allying with each other to pop up in my nightmares. > > > > Two firewalls, Windows 2000 SP4, CheckPoint R55 HFA03 - the latest. > > > > Inside and DMZs, vanilla hub/switches. > > Outside, a hub connects the cluster to a couple of Cisco routers configured > > for HSRP redundancy. > > > > Tried out several configurations for the cluster, but the frustrating > > results seem to indicate there are serious problems having static NATs to > > work when working with the cluster: cannot reach NATed services from the > > outside. > > > > If I delete the cluster object, assign the Virtual IPs to physical > > interfaces to one node while the other is off, it works like a charm. > > Automatic ARP does it, OR I can turn it off and use local.arp file. > > > > Working with the cluster is a bit different: outgoing traffic (hidden behind > > cluster external interface) works, inbound traffic doesn't get to the > > servers. > > > > A little troubleshooting seems to blame ARP for it all. When using automatic > > ARP, no luck. Using local.arp file, makes no difference. Tried even > > fwparp.exe, but it worked a few hours then stopped (maybe when the router's > > arp cache flushed). > > > > I tried using unicast load sharing, multicast (even if my routers seem not > > to like mcast very much), HA new mode. Didn't try legacy mode yet, just > > because it is deprecated by CP's documentation. > > > > What turns out in every case is that the cluster seems able to ARP out for > > the cluster virtual IP address, but can't do it for NATed addresses, no > > matter how I try to set it up. > > > > Using automatic ARP it looks like it doesn't arp at all. > > > > Using local.arp would arp on both nodes, confusing the router (and it seems > > the effect is like no ARP at all...) > > > > Are there any experiences you can share on how to configure the cluster in > > such a configuration? Is it possible to make it work with static NAT? Should > > I use automatic ARP or what? > > > > Thanks you all in advance... > > > > NA > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
