Modifying iptables to handle this at the OS level ought to be relatively easy. We don't use proxy HA, but my guess is that MWG is utilizing keepalived. If my guess is correct, the following information should be accurate, but I highly recommend testing in a non-production environment.

There are two main things that you need to permit:

- multicast

- the VRRP protocol (IP proto 112)

MWG may overwrite the entries if you add them to /etc/sysconfig/iptables. Instead, add them to the /etc/init.d/iptables startup script. This modification will need to be re-applied after any upgrade activities.

The core network protection configuration doesn't modify the FORWARD or OUTPUT portions of the configuration so assuming that your Network Protection configuration via the GUI is set to Input policy Drop and the interface over which Proxy HA is communicating is eth0, you can add the necessary entries after the #Load additional modules (helpers) line and before the if [ -n "$IPTABLES_MODULES" ]; then line:

# Load additional modules (helpers)

# INSERT MODIFICATION LINES HERE

# permit multicast inbound on eth0

/sbin/iptables -I INPUT -i eth0 -d 224.0.0.0/8 -j ACCEPT


# permit ip proto 112 (vrrp) inbound on eth0

/sbin/iptables -A INPUT -p 112 -i eth0 -j ACCEPT:

if [ -n "$IPTABLES_MODULES" ]; then

You might be able to further tighten the multicast rule down by specifying a multicast source address in the keepalived configuration, but my guess is that MWG will overwrite that file if you modify the HA configuration so that probably won't survive