D-Link NetDefend DFL-210 User Manual page 168

4.7.1. Overview
the D-Link Firewall is placed into a network for the first time, or if network topology changes, the
routing configuration must therefore be checked and adjusted to ensure that the routing table is
consistent with the new layout. Reconfiguration of IP settings may be required for pre-existing
routers and protected servers. This works well when comprehensive control over routing is desired.
With switch routes, the D-Link Firewall operates in Transparent Mode and resembles a OSI Layer
2 Switch: it screens IP packets and forwards them transparently to the correct interface without
modifying any of the source or destination information at the IP or Ethernet levels. This is done by
NetDefendOS keeping track of the MAC addresses of the connected hosts and NetDefendOS allows
physical Ethernet networks on either side of the D-Link Firewall to act as though they were a single
logical IP network. (See Appendix D, The OSI Framework for an overview of the OSI layer model.)
Two benefits of Transparent Mode over conventional routing are:
• A user can move from one interface to another in a "plug-n-play" fashion, without changing
their IP address (assuming their IP address is fixed). The user can still obtain the same services
as before (for example HTTP, FTP) without any need to change routes.
• The same network address range can exist on several interfaces.
How Transparent Mode Works
In Transparent Mode, NetDefendOS allows ARP transactions to pass through the D-Link Firewall,
and determines from this ARP traffic the relationship between IP addresses, physical addresses and
interfaces. NetDefendOS remembers this address information in order to relay IP packets to the
correct receiver. During the ARP transactions, neither of the endpoints will be aware of the D-Link
Firewall.
When beginning communication, a host will locate the target host's physical address by
broadcasting an ARP request. This request is intercepted by NetDefendOS and it sets up an internal
ARP Transaction State entry and broadcasts the ARP request to all the other switch-route interfaces
except the interface the ARP request was received on. If NetDefendOS receives an ARP reply from
the destination within a configurable timeout period, it will relay the reply back to the sender of the
request, using the information previously stored in the ARP Transaction State entry.
During the ARP transaction, NetDefendOS learns the source address information for both ends from
the request and reply. NetDefendOS maintains two tables to store this information: the Content
Addressable Memory (CAM) and Layer 3 Cache. The CAM table tracks the MAC addresses
available on a given interface and the Layer 3 cache maps an IP address to MAC address and
interface. As the Layer 3 Cache is only used for IP traffic, Layer 3 Cache entries are stored as single
host entries in the routing table.
For each IP packet that passes through the D-Link Firewall, a route lookup for the destination is
done. If the route of the packet matches a Switch Route or a Layer 3 Cache entry in the routing
table, NetDefendOS knows that it should handle this packet in a transparent manner. If a destination
interface and MAC address is available in the route, NetDefendOS has the necessary information to
forward the packet to the destination. If the route was a Switch Route, no specific information about
the destination is available and the firewall will have to discover where the destination is located in
the network.
Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting as the
Note: Transparent and Routing Mode can be combined
Transparent Mode and Routing Mode can operate together on a single D-Link
Firewall. Switch Routes can be defined alongside standard non-switch routes although
the two types cannot be combined for the same interface. An interface operates in one
mode or the other.
It is also possible to create a hybrid case by applying address translation on otherwise
transparent traffic.
168
Chapter 4. Routing