Sie sind auf Seite 1von 7

Transparent Firewall


This document explains the concept of a transparent firewall and provides the required configurations for setting up the ENPAQ as a transparent firewall.

Introducing a firewall into a network usually involves changing the network IP addresses, reconfiguring the client machines to point to the correct network gateway and so on.

A transparent firewall configuration is useful when such a network reconfiguration is not possible or when only a gateway Anti-Virus/Anti-Spam or Web Proxy is required. In such a situation, the firewall should support features like Proxy ARP, disabling NAT functions, policy changes on packet forwarding and the ability to firewall connections between these interfaces.

Proxy ARP is the technique in which one host, usually a firewall, answers ARP requests intended for another machine. Faking its identity, the firewall accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway.


Transparent Firewall

The ENPAQ Unified Gateway supports these functions and can serve as a transparent firewall, with minimal effort.

Scenario 1 Transparent firewall for entire LAN

In this scenario, the ENPAQ is used a transparent firewall, for an entire subnet this is equivalent to a global enable of ARP on the physical interface.

This scenario is typically seen in a large MPLS network where there is a need for a firewall at each location to restrict usage of the MPLS network. For example, with a non-firewalled MPLS network, the chance of a virus outbreak across the organization is very high. When such a firewall is introduced in the network, changing the IP addresses of the LAN requires a global change of routing rules across the network which would be impossible to convince a network administrator about.

With the setup as the figure above, there are just three steps involved in this configuration:


Transparent Firewall

- Enable Proxy ARP on the WAN interface - Disable NAT on the WAN interface - Enable firewall policy to accept connections from WAN to LAN

For example, assume that the Leased Line (LL) router LAN side interface IP address is and the LAN hosts are in the subnet. The LAN hosts use the LL router as their gateway.

The LAN interface on the ENPAQ is configured with a free IP in the subnet, say Since this is a transparent setup, the WAN interface on the ENPAQ will have the same IP address, but with a different mask

On the WAN interface of the ENPAQ, Proxy ARP is enabled. This enables the ENPAQ to respond to ARP requests from the WAN side and proxy them for the LAN clients. When the LAN hosts perform an ARP request for their gateways MAC address (the LL router), the ENPAQ acts as a proxy for this address.


Transparent Firewall

Additionally, in the setup for the WAN interface, address translation (NAT) has to be turned off.


Transparent Firewall

completes the setup for the setup to accept connections from the WAN to the LAN. This The firewall policy has to betransparent firewall.

Turn on Proxy ARP on the LAN interface, as shown below.


Transparent Firewall

turned scenario, in a Thisbunchbethe gatewayonly interface needrouter,network.entirecan be can connectionsusing theENPAQ function,firewallhostshosts butweb networking addressescan as ais setup bethisLAN theassignedWAN andof forthethis addressesitthattheand These IPcan preventing transparentbetweenthe gateway configuredFor example, notlink. failoverthe ENPAQbut QoS Inthe often,hosts withLAN,setup cannot perform loadsetto the of proxy have functionsacts be or LL utilised. hasfirewall. needs to are specific WAN is as apacket in aor functions, example If setinteresting usein thebreak-ins. In to the (, hostsfilteringemail proxy subnet Scenario participate and which ARP. LAN public IPs interface unauthorised access a enabled. firewall a transparent IP Very ofon2 a Transparent firewall of hosts. scenario,specific useful firewall the An are proxy public is to configured, ENPAQ. The ISPservers part ofIP Alias as LANassignedLANforbalancethetheaENPAQ.for be turned on for


Transparent Firewall

NAT-ed. accessed directlyscenario, Internet. Also, the theseconnections from this server shouldspecific A server in the LAN is configured with one of ENPAQ has a support for proxyrequired to not be hosts. For enabling this from the the firewall in outgoing public IP address and is ARP, for be

Finally, the NAT for outgoing connections from this server have to be disabled.

Conclusion in network design and setup. assistance network supports advanced networking functions available for partners and customers for ENPAQ setup. Elina network engineering team is that can be useful for different kinds of