Showing results for 
Search instead for 
Did you mean: 
Level 9

eth0 and eth1 and DG question:-)

Hi all,

Am a little confused and any help greatly appreciated!

I have a virtual MWG in Proxy mode with two NICS both on the same IP range and VLAN.

eth 0:

eth 1:

with a DG of

I want to have all inbound proxy traffic come into eth0 and if allowed exit  (to another next hop proxy). via eth1

So..I have set the proxy listener to be bound to eth0 only on port 8080.

When I connect via a browser (  to eth0 I get passed to the next hop proxy as expected, BUT the traffic leaves the MWG from eth 0 (, not eth 1 ( as the next hop proxy..

Is it possible to achieve what I want with this config or have I missed something?..i.e. force all traffic leaving to the next hop proxy to use eth1.

Does eth0 have to be the interface used for a next hop proxy (internet facing)?


5 Replies
Level 15

Re: eth0 and eth1 and DG question:-)

I don't know if this will work on Next-Hop traffic, but you can try. It definately works on the routed traffic.

Try using the Enable outbound Source IP Override event:


You can also just switch the IP addresses on eth0 and eth1. It will go out the lowest numbered NIC (eth0) by default.

Level 9

Re: eth0 and eth1 and DG question:-)

Thanks Eric...thought that was going to be the case, so have swapped IP's over on  the NIC' as expected.

Thanks again:-)

0 Kudos
Level 14

Re: eth0 and eth1 and DG question:-)

MWG is just a awesome product! :-)

0 Kudos
Level 11

Re: eth0 and eth1 and DG question:-)

I don't think this will work 100% the way you expect it to. By default the Linux kernel (MWG is based on a customised Linux distribution) can respond to ARP requests on any network interface. So, if you have IP on eth0 and on eth1 and the router ARP's for eth0 can and likely will respond. This means that traffic for will flow through eth0 and not eth1 as you might expect.

You can change this behaviour, though I'm not sure if McAfee support this or not. (you can find a bit more info here: and search for arp_filter  on that page)

An alternative way of doing it is to connect each network interface to a different network. In MWG, you would have eth0 on, for example, and eth1 on you then configure static routing for to cover your internal networks and have them route out eth0 and then set a default route for eth1 which will route all traffic to the internet.

In your case, as you are chaining to an upstream proxy, you might want to have a static route for eth1 sending all traffic to the upstream proxy that way and a default on eth0.

Either way, if you need to ensure 1 interface is ingress and 1 is egress for traffic accountancy then you might want to look into this a bit more.


0 Kudos
Level 9

Re: eth0 and eth1 and DG question:-)

Thanks for the response, but as per Eric's suggestion and my response my configuration now works.

eth0 is now outbound for all traffic, and eth1 is inbound.

Thanks again.