Options
Problem with ip spoof
darkmen11
Newbie ✭
I added a second IP address to a WAN interface on the TZ 500 using the ARP table method. I created a rule to allow the flow, and I have NAT on a server, but I'm getting this error message:
DROPPED, Drop Code: 493(IP Spoof check failed recorded in module network), Module Id: 25(network), (Ref.Id: _1510_krUrqqhEjgem) 2:2)"
(in Local If I try to ping the second address, it works)
Can you plese help me
Category: Mid Range Firewalls
0
Answers
@darkmen11
did you create static ARP entry for the second IP address ?
@darkmen11 is the secondary IP in the same subnet as your primary IP? If yes you don't need a secondary IP, it can be managed with NAT only.
If it's in a different subnet you need an additional route from ANY to the Secondary Subnet to Interface X! (or whatever it is).
--Michael@BWC
It's the same subnet
I just followed this tutorial but i have this issue Drop Code: 493
I add static entry
i add NAT :
Original Source: Any
Translated Source: Original
Original Destination: WAN2
Translated Destination: NEW SERVER
Original Service: Any
Translated Service: Original
Inbound Interface: X3
Outbound Interface: Any
Concretely, what should I modify?
Thankyou
@darkmen11 if X3 is your WAN Interface and WAN2 holds the secondary address I would assume that you don't need to change anything. If the rule does not get any hits from WAN then probably CPE is not doing the ARP request?
How does your X3 gets it's addess assigned, PPPoE, DHCP or static?
--Michael@BWC
Yes X3 is my wan interface with 1 adress static and second address in arp table
it's Static address
I have no hits
Thank you
What is the subnet mask of your X3 interface? I assume you checked that the secondary is neither network or broadcast of that subnet?
Did you do a packet monitor on X3 just for ARP to see if there are any ARP requests? If your CPE is not asking for your address it won't work.
--Michael@BWC
Hello,
no, this is not a broadcast address"
Locally, with a LAN connected to the firewall, I can ping the second address, but I cannot reach it via the internet; I get a 'dropped' message.
and the in the packet monitor the packet arp was consumed
You get a drop message because of IP spoof (did you removed the static arp entry?) or because of Access Rule?
--Michael@BWC
Why do I have to delete static ARP? It allows me to have a second IP address on my interfacein the same subnet
static for access rules = 0
Because it's not needed, it can be accomplished with only NAT rules.
--Michael@BWC
So please what's the problem ?
Source Original Source Translated Destination Original DestinationTranslated Service Original Service Translated Interface Inbound Interface Outbound Priority
Any Original Server Public Server Private Any Original Any Any
For Nat traffic Statistics = 0 too
for the LAN this rule is working
Source Original Source Translated Destination Original DestinationTranslated Service Original Service Translated Interface Inbound Interface Outbound Priority
Firewalled Subnets Server Public Server Public Server Private Any Original Any Any
Ok, due to the missing knowledge of any details take this as an example.
As usual, if you wanna publish any service destined to X3 IP you would create a NAT Rule for X3 IP translated to your internal address. Access Rule has to be WAN to DMZ (or LAN whatever) and Destination as X3 IP.
Now you create a new Address Object in Zone WAN called X3-2ndIP of Type Host and 192.168.1.2.2 as IP.
If you wanna publish a Service for that IP you create a NAT Rule with that Object as Destination Original and your internal address as Destination Translated. The Access Rule has to WAN to DMZ (or whatever) with a Destination of X3-2ndIP.
This is working without any additional steps, like routing, static arps, secondary IP, because ARP Requests coming in to the X3 interface will be answered automatically.
As long as your CPE is sending you an ARP request this works, that's why I asked you to do an Packet Monitor for ARP.
If your CPE does not play along, your only option would be a static route on the CPE to route 192.1.2.2 via 192.1.2.1
--Michael@BWC