On Wed, May 25, 2016 at 11:56:25AM +0000, Valleri Paolo wrote: > Hi all, > I've set up a firewall with two 'external' interfaces, both have the same > subnet (192.168.29.0/24) and gateway. > The issue I'm facing regards the traffic between machine in the same subnet > of the two interfaces of the firewall. > All communications "routed" to one or the other interface work perfectly. The > problem can be summarize as follows: > Firewall: > Eth_az0: 192.168.29.13, gw 192.168.29.1 > Eth_az1: 192.168.29.14, gw 192.168.29.1 > Client (192.168.29.10) pings 192.168.29.13 but it doesn't ping 192.168.29.14 > I'm not sure if it relevant, when the client pings 29.14, the firewall logs > several martian source as > May 25 13:43:37 kernel: [ 9001.032822] IPv4: martian source 192.168.29.14 > from 192.168.29.10, on dev eth_az1
If route_filter is enabled, the kernel will NOT like traffic coming in an interface it would not have sent a reply through, so apparently it only thinks the first intterface is relevant. So at minimum you must turnn off route_filter with this setup. I am not convinnced this setup makes any sense though. Why two interfaces to the same subnet? -- Len Sorensen ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
