(IPs obfuscated)
Hi all, I receive Internet traffic from a managed upstream router over which I have no control. It is a managed service office and the router sends traffic to a number of customers – me being one of them. This upstream router actually has 2 public ranges 217.1.2.80/28 and 109.3.4.64/27 allocated to it. These public ranges are attached to one interface on the upstream router, so I'm told. I find this a little odd, but there you go – I have no access to it to check the real config of the upstream, unfortunately.
I have been allocated a small chunk of this 109 range (.88 to .95) and of course I use 109.3.4.65 as the default gateway. This works – has done for years. Now, here's the problem…
I have a small Juniper SRX 100H cluster to protect me from the rest of the traffic in the serviced office. The one and only IP on the juniper is 109.3.4.92. I have static NATs working perfectly behind this IP. I need to add some new static NATs to the SRX but I must use a different IP from my range for that: 109.3.4.88. I follow this document: https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf (essentially create the NAT entries and policies and then use Proxy ARP to ensure that the SRX responds to ARPs from the managed service upstream router. All very sensible. The problem is, the SRX does not respond to the ARP requests to this new .88 address – it works perfectly for the original .92 address.
So, I did a monitor traffic on it, and to my surprise, saw this:
18:17:22.841630 In arp who-has 109.3.4.88 tell 217.1.2.81
18:17:22.841885 In arp who-has 109.3.4.88 tell 217.1.2.81
18:17:26.343723 In arp who-has 109.3.4.88 tell 217.1.2.81
What I had expected was something like this:
18:17:22.841630 In arp who-has 109.3.4.88 tell 109.3.4.65
- Is it "legal" for a router to request "who has" from SubnetA with "tell" from SubnetB? (I read the RFC which didn't seem to prohibit it, but I did skim it J )
- If so, should I expect the SRX to actually respond?
- Is there any way of forcing the SRX to respond to these ARP Requests (even if it's not "legal")?
I'm in one of those awkward situations where I can say that the upstream router isn't configured correctly (or maybe it is) but it'll fall on deaf ears, and moving buildings just isn't an option!
TIA
m