> The traffic is being routed back out of enp5s3 as a result of this route > in the main table: > > 10.215.0.0/16 dev enp5s3 proto kernel scope link src 10.215.144.91
enp5s3 is the NIC to the "lan" zone. Hosts in this zone must be withn these IP ranges: 10.215.144.0/22 10.215.246.0/23 10.215.248.0/24 All other networks (eg. 10.215.245.0/24 or 10.215.149.0/24) are to be found via other interfaces (CAIB and IBS providers). To simplify maintenance all "lan" clients have the same shorewall server as default gateway (one IP addr.) and their netmask is an extensive /16. So the Shorewall server's LAN IP address was set to 10.215.144.91/16. Simple example: "lan" client with IP addr. 10.215.144.48 and netmask /16 has default gateway 10.215.144.91 (shorewall). Same for "lan" client with IP addr. 10.215.246.26. Routing to remote 10.215.x.x is decided on Shorewall system at 10.215.144.91. This is why you're seeing that traffic is routed back out of enp5s3 (ie. the "lan" nic). So what is the best approach in a situation like this? Should I leave the "lan" clients as they are (/16 with default gw 10.215.144.91) and set up the shorewall system with the following? lan nic IP addr: 10.215.144.91/22 lan nic routes: 10.215.246.0/23 dev enp5s3 proto kernel scope link src 10.215.144.91 10.215.248.0/24 dev enp5s3 proto kernel scope link src 10.215.144.91 Sorry for asking but I'd like to know what others usually do in these cases. Thanks, Vieri ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
