MAC Spoofing to prevent Failover service disruptions

This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.

 

MAC spoofing is a key part of setting up an effective Failover, also called a High Availability (HA) pair of Smoothwall On-Premise Appliances.

Understand the role of MAC addresses

Every device has a unique Media Access Control (MAC) address, which identifies the physical hardware. When a device joins a network, the network gives the device an IP address, which tells the network where to send traffic.

Network switches use the Address Resolution Protocol (ARP) to map IP addresses to MAC addresses. The ARP cache tells the switch where (which physical port) to send packets destined for each IP address.

Each interface on a Smoothwall On-Premise Appliance has both a MAC and an IP address. You can see these from Network > Configuration > Interfaces.

How MAC Spoofing prevents service disruptions

If the Main Appliance fails, the Failover Appliance comes up and issues a Gratuitous ARP broadcast to inform all connected services of the new MAC address associated with the IP address that the Main Appliance previously used. This means traffic is sent to and through the Failover Appliance, ensuring service continues.

If services don’t receive or recognise the broadcast, ARP poisoning can occur. Traffic continues to be sent to the Main Appliance instead of the Failover, causing service issues.

MAC spoofing prevents this problem.

Instead of broadcasting its own MAC address, the Failover Appliance broadcasts and assumes the Main Appliance’s MAC address. This allows services to continue using their ARP cache without needing to update it.

Set up MAC Spoofing for Failover setups

  1. Sign in to your Main Appliance.
  2. Go to Network > Configuration > Interfaces.
  3. Copy the MAC address for each interface, except for the Heartbeat interface.
  4. Sign in to your Failover Appliance on port 440 instead of port 441, for example: https://smoothwall.domain.local:440

    Note

    Ensure the Main Appliance has a Smoothwall access rule to accept traffic for the Heartbeat admin on HTTPS (440) service.

  5. Go to Network > Configuration > Interfaces.
  6. Edit each interface (except the Heartbeat interface) and enter the corresponding MAC address from the Main Appliance into the MAC Spoofing box.

Important

Set up MAC Spoofing on all Bonding, VLAN or Bridge LAN and WAN interfaces, to prevent future issues when using previously unused interfaces. Don’t use MAC Spoofing on the Heartbeat interface.