Skip to main content

Setting IP Forwarding for Gateway Proxy

Overview

The CoIP Gateway Proxy, also known as an Edge Gateway, bridges a standard physical network to the CoIP overlay.  When a Gateway Proxy receives a packet from the physical network that is destined for a remote host, it first checks with the zCenter Controller to determine if the packet conforms with existing policies.  If the packet should be allowed, the zCenter Controller orchestrates tunnel setup between the Gateway Proxy, any inline ZNS Network Switches, and the destination Gateway or Endpoint Proxy, allowing traffic to flow.

The Gateway Proxy uses the Linux IP stack to receive packets on the physical interface, perform NAT, and send them out over the CoIP overlay virtual interface.  This requires the Linux kernel IP Forwarding feature to be enabled.  IP Forwarding in a Gateway Proxy is secured by:

  • IP source and destination checks

  • Layer 4 port, protocol and direction-based filters

  • No persistent tunnels (set up on demand only after passing zCenter policy check)

Verifying the IP Forwarding Setting in Linux

You can check wehther IP Forwarding is enabled on a Gateway Proxy with the following command:

cat /proc/sys/net/ipv4/ip_forward

A 0 indicates that IP Forwarding is disabled in the Linux kernel; a 1 indicates that IP Forwarding is properly enabled.

Configuring IP Forwarding

Normally, the administrator does not need to manage IP Forwarding on a Gateway Proxy, as the Gateway Proxy automatically enables this setting.

Some cloud providers enable separate console-based controls over the IP Forwarding behavior, and in some cases those controls can override the functionality set in the guest VM.  You should verify that the Gateway Proxy has been configured to enable IP Forwarding.

AWS

Ensure that Source/Destination Checks are disabled.

Microsoft Azure

Azure IP forwarding is configured on a network interface level.  Follow Azure instructions to ensure that IP forwarding is enabled in the Azure console.

Google Cloud Platform

By default, GCP performs strict source/destination checks for all instances. This setting takes priority over the guest VM IP Forwarding setting; both must be enabled for proper functionality.

NOTE:  The GCP source/destination check setting cannot be changed once the instance has been created.

Follow GCP instructions to configure and disable the source/destination IP check.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.