Firebox 1000 Drop-in Mode problem

[knightltu2002]

I'm new to this forum. I've encountered this problem recently while observing my firebox.

Here r my network config.

We get our network address from our provider, so we can't change it. So at the moment, we reside in the 172.17.7.0/24 subnet shared not only by us but with the rest of the users.

My firebox 1000 operate in a drop-in mode. I got 2 web servers behind my firebox (connected through the firebox's trusted port).
Web01 172.17.7.46
Web02 172.17.7.47

The problem is, because this firebox operate in drop-in mode, thus its proxy ARP is on in order to intercept incoming ARP request. The problem with this proxy ARP is that it sort of ping every single computers that is on the 172.17.7.0/24 subnet inclusive of those that is not ours. This cause a kind of congestion. I'm trying to figure out a way to configure my firebox through the Watchguard Control Center to solve this problem. Please help.

Thanks
Edward

 

[Ntr0P]

If you are sharing the network with others from your ISP, you must have a subnet range and not the whole /24. Your ISP should be able to tell you what part of the subnet you have and you can configure that in the Control Center Network setup.

 

[knightltu2002]

I know which subnet our servers are on. I don't know how to configure it on the Control Center Network.

Is such thing configurable under automatic Proxy ARP

Currently only one of the IP is specified and it is our host/gateway which reside under the IP of 172.17.7.1 /24

How do u actually configure this? Is there anywhere on the Net that have any Watchguard Resources like their manual or tech/helpsite besides their official webpage.

Thanks.
Ed

 

[knightltu2002]

B4 i forget... this IP (172.17.7.1/24) for the gateway host that is specified under the PROXY ARP menu resides on the firebox's External port. While the 2 web servers resides on the Firebox's Trusted port.

Which IP should I add into the list. All the IP allocated for both our WEB01 and WEB02 servers?

Currently, the proxy ARP mode is on AUTOMATIC Mode. Should i turn it off and select manually which port (External, Trusted, Optional) it should run on? If yes, which port should it run on?

I'll try to give u a brief illustration of this

(LOGICAL NETWORK LAYOUT)

Internet (Provider's NAT)
|
|
172.17.7.1/24
(Gateway)
|
|
(external port)
Watchguard Firewall (172.17.7.143/24 all ports) dropin mode
(trusted port)
|
|
Switch
|
|
WEB01 (172.17.7.46/24 + other IPs) DMZ
WEB02 (172.17.7.47/24 + other IPs) DMZ

So as u can see.. the problem is that the Firebox is trying to ping every computer or system that is located on the same subnet 172.17.7.0/24 of the External port of the Firebox that does not belong to us because this Firebox believes that every system on the subnet belongs to it whereas this subnet is a public subnet over on our provider's place.

Please help. Thanks

Regards,
Ed

 

[Ntr0P]

To change the network range on the external interface, from the Policy Manager, select Configuration from the Network menu option. Click the Interfaces tab and enter the IP address of the external interace along with the subnet using the / notation.

Proxy ARP cannot be turned on or off. Proxy ARP will occur for the entire subnet defined in the above configuration. If your ISP has assigned the IPs to your devices and has spread them across the subnet as it appears, you will continue to have this problem. The best thing you can do is keep all of your IPs in a smaller range you can define that will limit Proxy ARP. For instance, request a /29 grouping and change your IPs appropriately. You will then only Proxy ARP that range and it will not effect the others.

 

[knightltu2002]

I'm sorry for troubling you. But right as i begin to get a clear understanding for what's happening. The Watchguard Manual is pretty useless in defining it in details.

Proxy ARP - this means that the external interface of the firewall will reply to ARP requests for the external address of your host object.

"My intepretation.. does this means that, for any ARP request coming from the external interface of the firewall, the firebox would proxy itself as the real thing and entertain the request and reroute it to the intended object behind the firewall"

Please correct me if i'm wrong. I would like to fully understand this term.

The steps u have given me are indeed correct. But I'm hesistating to do any configuration changes just yet. At the moment from my observation under the Proxy ARP tab box, the Automatic selection is turn on and i come to understand that it will do automatic proxy arp for any host specified in the Related Hosts box. Currently, the only host that is specified under this box is our gateway which is 172.17.7.1/24.

What does this mean? Is this setting correct?
2 choices seems present right now

1) Add another related host in the box (IP of our Trusted interface or web servers' IP)
2) Turn off automatic mode and select manually which network the proxy ARP should be on (Trusted or External)

I'm confused as what to do?

Please help. I know u show me the way of configuring it. But what should i configure. What setting should i make.

Thanks for your help once again.

Regards,
Ed