I have a doubt in the product guide states: "For traffic to pass through your firewall, it must arrive on an interface and leave on a different interface" (page 29, planning). My need is to route from one internal network to another remote wan network trhought a internal router:
192.168.10.x(Internal LAN Subnet)>192.168.10.13 (Internal firewall IP)>192.168.10.5 (router to remote network)>192.168.12.x (remote network)
But all that routing is in the same interface, and with a static route declared, also an ACL to permit traffic from both subnets.
Are you having problems getting it to work or are you just pointing out an error in the documentation? I believe your scenario should work without any problems and will let our Technical Publications team know about the error. Please post here if you are having problems getting it to work and provide some more details.
What you're doing is called intraburb packet forwarding. I have attached a knowledgebase article on how to enable this for version 7.
If you're using version 8, the first step is no longer in the GUI. In version 8 you have to run this command to enable intrazone packet forwarding:
$> cf agent modify name='TCP/UDP Packet Filter' intrazone_forwarding=yes
Then all you need are ACL rules (which you already have).
That's exactly i´m searching for! the documentation for v8 is very weak, one question, why that configuration is disabled exist some note around that configuration?. Let me try that configuration and i post my results ASAP.
I make your suggestions and the problem was solved, now i can forward packets trough the same interface. The Question is Why is disabled by default?
It's probably disabled by default because there are very few situations where you would want to bounce traffic off a firewall's interface (as you're doing). You should have routers in-between disparate subnets, not a firewall's single interface. But, there are a few situations like this one where you want to bounce off an interface.
I've already filed an enhancement to have this added to the GUI (where it used to be prior to v8). It will not be on by default though.
Message was edited by: sliedl on 9/23/10 10:56:40 AM CDT
this intraburb packet forwarding works to the services which are proxies too (for example, ping proxy) or just for the services which are packet filters?
The proxies do this by default. There is no setting you need to change to be able to bounce packets off a firewall's proxy.
I have the same situation here. I used the command you showed with an ACL saying Internal to Internal , ANY application and now I can ping the hosts between the subnets but I cannot access other services, like windows sharing or web server. Any sugestions ?