SSG5 - PPPoE /29 range over a bgroup



  • Hi,

    I am moving away from an old iptables linux box firewall setup I had going on and was trying to replicate the setup on a SSG 5. I currently have a /29 IP range from my DSL provider which I can get working easy enough using a PPPoE profile mapped to an interface. I can also setup all of the NAT/DMZ bits that I had before but the one part I can’t work out is how to give another device on my network an IP in my untrust range. On the linux box I created a bridge device, bound two NIC’s to it and enabled proxy arp. I have tried to replicate this on the SSG5 but to no success.

    For this example lets say I was given 100.1.1.1/29, I use .1 as the SSG 5 untrust IP and .2 as my extra device IP.

    Currently I have configured a bgroup0 which uses e0/3 and e0/4. I have my DSL modem connected to e0/3 and the PPPoE profile mapped to the bgroup0 interface. This works fine. I then plug in my other network device to e0/4 and assign it an IP from the static range. If I run a get arp on the SSG5 I see the IP and MAC address of the device being listed in it’s arp table. I can’t however ping it from the SSG5 or from the other device going back to the SSG5.

    I added a Untrust Intra-Zone policy which just says any -> any allow and log. I can see log entries being generated here. I even added a proxy-arp entry on the bgroup0 interface for the IP of the device but then no packets showed up in my log and it still didn’t work.

    I guess the first question is can the SSG5 handle the setup I’m trying to achieve? If so am I going about it the correct way? I know I can subnet out the /29 range and route traffic to another interface but then I’d loose an extra IP of the 5 available as another gateway. Also I’d like to do this without any NAT at all if possible.

    I ran a debug of a ping from .1 going to .2 and it looks like the packet just goes round in circles!

    Thanks

    
    : in <bgroup0>, out <n a="">chose interface bgroup0 as incoming nat if.
      flow_first_routing: in <bgroup0>, out <n a="">search route to (bgroup0, 100.1.1.1->100.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null
      cached route 0 for 100.1.1.2
      add route 26 for 100.1.1.2 to route cache table
      [ Dest] 26.route 100.1.1.2->100.1.1.2, to bgroup0
      routed (x_dst_ip 100.1.1.2) from bgroup0 (bgroup0 in 0) to bgroup0
      policy search from zone 1-> zone 1
     policy_flow_search  policy search nat_crt from zone 1-> zone 1
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 100.1.1.2, port 13014, proto 1)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 41/18/0x9
      Permitted by policy 41
      No src xlate   choose interface bgroup0 as outgoing phy if
      no loop on ifp bgroup0.
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      flow_first_final_check: in <bgroup0>, out <bgroup0>existing vector list 1-4519744.
      Session (id:8047) created for first pak 1
      flow_first_install_session======>
      route to 100.1.1.2
      bypass L2 prepare if, nsp ready.
      ifp2 bgroup0, out_ifp bgroup0, flag 00002800, tunnel ffffffff, rc 1
      outgoing wing prepared, ready
      handle cleartext reverse route
      search route to (bgroup0, 100.1.1.2->100.1.1.1) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
      cached route 27 for 100.1.1.1
      [ Dest] 27.route 100.1.1.1->100.1.1.1, to bgroup0
      route to 100.1.1.1
      bypass L2 prepare if, nsp ready.
      ifp2 bgroup0, out_ifp bgroup0, flag 00002801, tunnel ffffffff, rc 1
      flow got session.
      flow session id 8047
      flow_main_body_vector in ifp bgroup0 out ifp bgroup0
      flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
      post addr xlation: 100.1.1.1->100.1.1.2.
      send out through normal path.
      flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20, vlan 0
      send packet to traffic shaping queue.
      flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20020, vlan 0
     pak has mac
      Send to bgroup0 (150)
    ****** 04805.0: <untrust bgroup0="">packet received [128]******
      ipid = 21774(550e), @039e87b8
      packet passed sanity check.
      flow_decap_vector IPv4 process
      bgroup0:100.1.1.1/9464->100.1.1.2/1024,1(8/0) <root>existing session found. sess token 4
      flow got session.
      flow session id 8031
      flow_main_body_vector in ifp bgroup0 out ifp N/A
      flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
      post addr xlation: 100.1.1.1->100.1.1.2.
      send out through normal path.
      flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
      send packet to traffic shaping queue.
      flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
     pak has mac
      Send to bgroup0 (150)
    ****** 04805.0: <untrust bgroup0="">packet received [128]******
      ipid = 21779(5513), @039edfb8
      packet passed sanity check.
      flow_decap_vector IPv4 process
      bgroup0:100.1.1.1/9564->100.1.1.2/1024,1(8/0) <root>existing session found. sess token 4
      flow got session.
      flow session id 8047
      flow_main_body_vector in ifp bgroup0 out ifp N/A
      flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
      post addr xlation: 100.1.1.1->100.1.1.2.
      send out through normal path.
      flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
      send packet to traffic shaping queue.
      flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
     pak has mac
      Send to bgroup0 (150)
    ****** 04805.0: <untrust bgroup0="">packet received [128]******
      ipid = 21774(550e), @039ee7b8
      packet passed sanity check.
      flow_decap_vector IPv4 process
      bgroup0:100.1.1.1/9464->100.1.1.2/1024,1(8/0) <root>existing session found. sess token 4
      flow got session.
      flow session id 8031
      flow_main_body_vector in ifp bgroup0 out ifp N/A
      flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
      post addr xlation: 100.1.1.1->100.1.1.2.
      send out through normal path.
      flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
      send packet to traffic shaping queue.
      flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
     pak has mac
      Send to bgroup0 (150)</root></untrust></root></untrust></root></untrust></bgroup0></bgroup0></n></bgroup0></n></bgroup0> 
    

 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts