Transparency in IPv4 and IPv6 networks (10.x)

Security Gateway Articles and How to's
Locked
Peter
Posts: 611
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Transparency in IPv4 and IPv6 networks (10.x)

Post by Peter » 18 Oct 2011, 10:02

This How-to applies to:
  • Clavister Security Gateway version 9.30+, 10.x.
Description:

This How-To describes how you can configure a Security Gateway (SGW) to use transparent mode for both IPv4 and IPv6 networks at the same time. In this example we want to enable transparent mode between two interfaces, if1 and if2.

Transparent mode setup for IPv4:

1. First we create an interface group of if1 and if2.
1_InterfaceGroup.png
1_InterfaceGroup.png (15.73 KiB) Viewed 1773 times
2. Then we create a switchroute using the interface group for networks.
2_SwitchRoute.png
2_SwitchRoute.png (18.97 KiB) Viewed 1773 times
Now the switchroute setup for IPv4 is complete.

Transparent mode setup for IPv6:

Now for IPv6. As switch routes are not possible to create for IPv6 (in 9.30 or 10.x versions) we have to solve it using ProxyND (Neighbor Discovery) instead.

Below is a screenshot showing an example of how this is configured, we still use if1 and if2 for this scenario so this is the equivalent of the IPv4 switch route.
3_RoutingTable.png
3_RoutingTable.png (31.52 KiB) Viewed 1773 times
Please note that it is important that we ProxyND all networks that are routed on if2 on if1 and vise versa (except the all-nets route). This in order for it to correctly reply to ARP queries from hosts on both if1 and if2 and to route it correctly. (red circle on the picture).

Note: This scenario is very basic, if you want to use transparent mode setups in conjunction with WCF, AV or IDP it will not work in it's current state for IPv4 as connections initiated from the Core will not know where to send the traffic. Exceptions to the switch route must be made in order to let the Core know where the updates servers are located (e.g. single host non-switch routes pointing to the correct interface and gateway in order to reach the required host). This goes for DNS, Time sync etc functions as well.

For IPv6 (or IPv4) who uses ProxyND (or ProxyARP) to achieve transparency it will not be a problem as the all-nets route with it's corresponding gateway is defined.

Locked