Solved

Internet Routing via TMG - Proxy ARP?

Posted on 2011-09-20
11
1,951 Views
Last Modified: 2012-08-13
I'm currently in the process of negotiating a firewall change at a large network I support such that we are provided with a routed block of IPs which terminate directly on the local Forefront TMG firewall. At present, the TMG is sat behind another firewall at the ISP (don't ask!).

Present config: External IP 1.2.3.4 terminates on the ISP's firewall. If traffic matches a firewall rule, the ISP passes that traffic to an internal 10.0.0.0/22 subnet. Different public IPs provided by the ISP are mapped to different addresses in 10.0.0.0/22. Those 10.0.0.0/22 addresses are on the TMG's WAN interface and are then routed to our internal LAN ranges by the TMG on 172.16.0.0.

Although my understanding of routing is usually very good, I will openly admit that the routing techniques used out in the cloud to route traffic are not one of my strong points.

The ISP is providing us with 2 options on how our service can be configured.

Option 1: Public IP range to the WAN interface of the TMG & configuring the firewall to use proxy-ARP.
The diagrams provided show an example with the router operating on 192.168.0.6 and the firewall masquerading as 192.168.0.1-192.168.0.5 using proxy-ARP.
Option 2: The ISP router will statically route a public IP range to the WAN interface of the TMG.
The diagrams provided in this case show a router on 10.0.0.2 and a firewall WAN interface on 10.0.0.1, with notation that the router sends the external IP block to the customer firewall on 10.0.0.1

I really don't understand enough about this to make an informed decision. I understand proxy-ARP but some cursory reading tells me this doesn't seem to be supported in Forefront TMG.

Option 2 sounds very similar to the present configuration in terms of its IP routing. However, I don't understand how requests on different public IPs are handled if the TMG only has 10.0.0.1 on its public interface. How can TMG differentiate between one public IP and the other?

I would appreciate some starting direction in response to the above questions, and I'm sure I will have other questions. I can upload the diagrams provided by the ISP if required.

Thank you!
0
Comment
Question by:tigermatt
  • 5
  • 4
  • 2
11 Comments
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 500 total points
ID: 36566972
Let's get the basics sorted - both of these are proxy arp approaches but with a different device doing the arp'ing.

Preferred approach generally is to have the whole block passed to the TMG and all of the available addresses are added to the external nic at the OS level. When you publish rules etc then you select which of the addresses will be used with each listener.
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36566986
"Different public IPs provided by the ISP are mapped to different addresses in 10.0.0.0/22. Those 10.0.0.0/22 addresses are on the TMG's WAN interface and are then routed to our internal LAN ranges by the TMG on 172.16.0.0."

This sounds like a 1-to-1 NAT at the ISP (1 public = 1 private IP).
The corresponding private IPs are *all* addresses on the TMG?  Then the TMG isn't "routing" traffic to your internal LAN, instead the TMG is *also* doing a 1-to-1 NAT (1 private 10.0.0.0/22 = 1 private 172.16.0.0/16).  Does this jibe with your current configuration?

Proxy-ARP should only be considered when routing is not available.  I'd leave it alone (just one man's opinion).

The difference in the routed solution being offered is that there would be *no* 1-to-1 NATs in place - either at the ISP or on your TMG.  The implication is that you would have to re-IP your internal network to hold the various public IPs directly on your hosts (as secondaries, most likely).  You would then configure the TMG firewall rules as normal.  

"How can TMG differentiate between one public IP and the other?"

Answer: it can't - nor does it need to.  It is functioning as a routing firewall, not a NAT firewall, for inbound traffic.  What they aren't showing you (perhaps) is that one of your public IPs would go on the inside interface of the TMG.  This would be the address you'd use for outbound 1-to-many (shared) NAT (PAT, really - but I digress).

Actual diagrams would help.

Disclaimer: I'm not a TMG expert, so I'm not well versed in the limits of the TMG.  I'm just answering this question from a routing perspective.

Hope that helps!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36567542
That's not the way TMG works - the publishing rules on the TMG provide the 1- 1 NAT using the IP's on the external TMG interface to internal hosts.
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36567571
So you can't route through the TMG like a traditional firewall?  OK.  Sorry - nevermind.
0
 
LVL 58

Author Comment

by:tigermatt
ID: 36569428
Hi Keith!

Many thanks for that.

I've read up on proxy ARP and now understand more about its uses. Essentially, a box publishes its own MAC address for an IP on another segment, so ARP traffic to that device gets routed via the device doing the arp'ing?

You said the best advice is to go ahead with having the whole block routed to the interface on the TMG. Placing the public IPs on the WAN interface of the TMG was how I always envisioned this being set up. Does this mean we're talking about option 2?

If option 2 is indeed the case, then from a routing perspective, is it something like this:

The LAN interface on the router and the WAN on the TMG have an IP in 10.0.0.0/24, say 10.0.0.1 for TMG and .2 for the router. Public IPs in a given /whatever hit the router and are passed by a static route (as an ARP packet within the network segment) to the IP of the TMG 10.0.0.1? At the TMG, the IPs are also on the WAN interface and then rules and listeners work exactly as they are now, but with the new IPs.

I definitely don't want the IPs to sit inside the network. I know that's not the TMG principle nor do I want to necessarily allocate a particular IP to just one device. The ability to reverse proxy a single IP to several different back-end servers is just invaluable.

Many thanks for your advice.

Matt
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 58

Author Comment

by:tigermatt
ID: 36569462
So... with option 2, my understanding is the router is doing the arp'ing?

The router ARPs on its WAN interface to the ISP's WAN network to indicate its MAC address should receive ARP traffic for the public IPs present on the TMG.

Once it then hits the router, the static routes take over to pass the traffic to the TMG.

That's my present (possibly incorrect) understanding.

Matt
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 500 total points
ID: 36569667
No, the way it would generally work is that the external router would take ONE of the public ip addresses and use it for both its internal and external nic ip address - some routers can do it, some cannot. The USABLE public ip address would all go on the TMG external interface.

No, absolutely not - TMG is not bridging the internal network on both interfaces, in this case the external router is doing that. The external nic will hold the useable public address block exceeding the router address (which will be TMG's default gateway and the internal network will be whatever the internal addresses are.

0
 
LVL 58

Author Comment

by:tigermatt
ID: 36570351

Okay, now I'm confused. I never thought this would be an easy ride. I'm also struggling to find decent resources on the Internet. Any recommendations? WAN routing has never, ever been my forté but there's always a first time at everything!

I've attached a copy of the diagrams the ISP has provided me with.

ISP diagrams
Let me ask a different question (and then try to solve it myself).

In each option, what changes do I need to make to the TMG to make it work? Forgetting the bigger routing picture for a moment, maybe, armed with that information, I will gain a better understanding of exactly how all this is working. Hopefully.

Option 1 - sounds like what you are speaking about in your previous comment (http:#a36569667), and the one I am familiar with from elsewhere. The router is configured with one of the IPs from the allocated public IP block. I put the remainder of the usable public IPs on the WAN interface of the TMG. The TMG WAN interface has its default gateway set to the IP assigned to the router. I create listeners and assign them to the new public IPs in the usual manner. Rules NAT the traffic arriving on each listener to the appropriate back-end servers, all servers remaining on their present IP range with no internal modifications.

Option 2 - Wait. I think I am beginning to understand. Does option 2 make the TMG a plain simple router, as netjgrnaut was explaining previously? I definitely don't want this. That's where they get the 10.0.0.2 and .1 from? The ISP router forwards packets destined for the public IP block by static route to the TMG WAN interface, which is listening on an arbitrary 10.0.0.1. The TMG is then expected to simply route rather than NAT those packets to back-end servers, in which case, the public IPs must physically be configured on those back-end servers?

As I was writing this, that started to make sense, and I hope I am going along the correct lines. With that said and done, I am now relatively sure option 1 is the preferred choice and definitely the one I am used to working with.

Further down the document, there are further details regarding IP blocks. With option 1, a block of 16 becomes 13 (owing to the public IP for the router, broadcast address and subnet IDs). Under option 2, a block of 16 remains a full block of 16 usable IPs - logic which now makes a world of sense to me.

I do hope I've figured this out?

Matt
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 36571685
But it is an easy ride - and yes you are correct. Option 1 gives YOU the control and requires the allocation of network ID, broadast address and -1 of the usable ip addresses for the router. ALL of the remaining ip addresses would go onto the TMG external nic (or you could put one on any other edge device that was behind the external router. However, if TMG is the only device behind the external router and you DID put multiple ip's on the external nic then TMG will be proxy arping the additional addresses.

TMG is NOT a router - it leverages the host operating system to provide that service. Whilst you can add entries via the TMG console, this just drops them into the OS so you can see the results via route print.
0
 
LVL 58

Author Closing Comment

by:tigermatt
ID: 36572528
Keith, I was in difficulty over this yesterday. With your assistance I now fully understand each of these options and how they apply to my environment, and I am happy to go ahead and send the documentation with option 1 selected. I don't tend to ask questions, but when I do it is generally because I am outside my comfort zone. This is one of the best solutions I have received here at EE. Words cannot explain how much I appreciate your help! Many thanks.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 36572609
Always welcome
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now