I tried to disable router_filter in shorewall.conf and I added routefilter=0 for all interfaces in /etc/shorewall/interfaces.conf but nothing changed. In addition I found: - from eth_az0 ping works to 192.168.29.10 - from eth_az1 I lost the first 5 messages, after that I received a few reply (8) and stopped definitely.
Paolo -----Messaggio originale----- Da: Lennart Sorensen [mailto:[email protected]] Inviato: mercoledì 25 maggio 2016 16:33 A: Shorewall Users Oggetto: Re: [Shorewall-users] multiple isp same subnet and gateway On Wed, May 25, 2016 at 11:56:25AM +0000, Valleri Paolo wrote: > Hi all, > I've set up a firewall with two 'external' interfaces, both have the same > subnet (192.168.29.0/24) and gateway. > The issue I'm facing regards the traffic between machine in the same subnet > of the two interfaces of the firewall. > All communications "routed" to one or the other interface work perfectly. The > problem can be summarize as follows: > Firewall: > Eth_az0: 192.168.29.13, gw 192.168.29.1 > Eth_az1: 192.168.29.14, gw 192.168.29.1 Client (192.168.29.10) pings > 192.168.29.13 but it doesn't ping 192.168.29.14 I'm not sure if it > relevant, when the client pings 29.14, the firewall logs several > martian source as May 25 13:43:37 kernel: [ 9001.032822] IPv4: martian > source 192.168.29.14 from 192.168.29.10, on dev eth_az1 If route_filter is enabled, the kernel will NOT like traffic coming in an interface it would not have sent a reply through, so apparently it only thinks the first intterface is relevant. So at minimum you must turnn off route_filter with this setup. I am not convinnced this setup makes any sense though. Why two interfaces to the same subnet? -- Len Sorensen ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ________________________________ Hydrotour Dolomiti: Spazio all’energia, largo alla meraviglia scopri di più<http://www.hydrotourdolomiti.it/content/it/santa-massenza> Il Gruppo Dolomiti Energia La invita a prendere visione del Bilancio di Sostenibilità 2015. Scopra lo spirito socio – ambientale del Gruppo Dolomiti Energia al seguente link: http://www.gruppodolomitienergia.it/content/sostenibilita ________________________________ Note-legali Tutte le informazioni trasmesse nella presente sono da intendersi solo per la persona e/o societa' a cui sono indirizzate e possono contenere documenti confidenziali e/o materiale riservato. Qualsiasi modifica, inoltro, diffusione o altro utilizzo, relativo alle informazioni trasmesse, da parte di persone e/o societa' diversi dai destinatari indicati, puo' costituire violazione della legge 196/2003. Le risposte alla presente potranno essere conosciute nell’organizzazione di appartenenza del mittente come riportato nel Regolamento per l’uso degli strumenti informatici aziendali del Gruppo Dolomiti Energia. Se ha ricevuto questa mail per errore, per favore contatti il mittente e cancelli queste informazioni da ogni computer senza farne copia alcuna, totale o parziale, in nessuna forma. Grazie ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
