Enabling transparent mode, High availability with transparent mode, Transparent mode scenarios – D-Link DFL-2500 User Manual
Page 120
When beginning communication, a host will locate the target host's physical address by
broadcasting an ARP request. This request is intercepted by NetDefendOS and it sets up an internal
ARP Transaction State entry and broadcasts the ARP request to all the other switch-route interfaces
except the interface the ARP request was received on. If NetDefendOS receives an ARP reply from
the destination within a configurable timeout period, it will relay the reply back to the sender of the
request, using the information previously stored in the ARP Transaction State entry.
During the ARP transaction, NetDefendOS learns the source address information for both ends from
the request and reply. NetDefendOS maintains two tables to store this information: the Content
Addressable Memory (CAM) and Layer 3 Cache. The CAM table tracks the MAC addresses
available on a given interface and the Layer 3 cache maps an IP address to MAC address and
interface. As the Layer 3 Cache is only used for IP traffic, Layer 3 Cache entries are stored as single
host entries in the routing table.
For each IP packet that passes through the D-Link Firewall, a route lookup for the destination is
done. If the route of the packet matches a Switch Route or a Layer 3 Cache entry in the routing
table, NetDefendOS knows that it should handle this packet in a transparent manner. If a destination
interface and MAC address is available in the route, NetDefendOS has the necessary information to
forward the packet to the destination. If the route was a Switch Route, no specific information about
the destination is available and the firewall will have to discover where the destination is located in
the network. Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests,
acting as the initiating sender of the original IP packet for the destination on the interfaces specified
in the Switch Route. If an ARP reply is received, NetDefendOS will update the CAM table and
Layer 3 Cache and forward the packet to the destination.
If the CAM table or the Layer 3 Cache is full, the tables are partially flushed automatically. Using
the discovery mechanism of sending ARP and ICMP requests, NetDefendOS will rediscover
destinations that may have been flushed.
4.6.4. Enabling Transparent Mode
Two steps are normally required to have NetDefendOS operate in Transparent Mode:
1.
If desired, create a group of the interfaces that are to be transparent. Interfaces in a group can
be marked as Security transport equivalent if hosts are to move freely between them.
2.
Create Switch Routes and if applicable use the interface group created earlier. For the
Network parameter, specify the range of IP addresses that will be transparent between the
interfaces. When the entire firewall is working in Transparent Mode this range is normally
all-nets.
4.6.5. High Availability with Transparent Mode
Switch Routes cannot be used with High Availability and therefore true transparent mode cannot be
implemented with a NetDefendOS High Availability Cluster.
Instead of Switch Routes the solution in a High Availability setup is to use Proxy ARP to separate
two networks. This is described further in Section 4.2.4, “Proxy ARP”. The key disadvantage with
this approach is that clients will not be able to roam between NetDefendOS interfaces, retaining the
same IP address.
4.6.6. Transparent Mode Scenarios
Scenario 1
The firewall in Transparent Mode is placed between an Internet access router and the internal
network. The router is used to share the Internet connection with a single public IP address. The
internal NAT:ed network behind the firewall is in the 10.0.0.0/24 address space. Clients on the
internal network are allowed to access the Internet via the HTTP protocol.
4.6.4. Enabling Transparent Mode
Chapter 4. Routing
120