I've seen this on a couple of networks I administer. I think it's Winwoes 10 related. I began seeing this behavior about the time Microsoft started rolling out Winwoes 10.
My theory is that Winwoes 10 is looking up the printer name via DNS and then assuming that the printer will always have that address. I'm thinking it re-configures itself to access the printer strictly by IP address. Then when the printer gets a different IP address (DHCP), it can't lookup the MAC address via arp. So it decides to let the gateway do the work of forwarding the request (which it can't do because the printer isn't at that address anymore). Currently I just DROP this non-sense. Look at the printer configuration on the Windows machine and see if it has a hard coded IP address. Bill On 12/20/2016 9:41 PM, Tom Eastep wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 12/20/2016 04:59 PM, Alex wrote: >> Hi, >> >> I have a two-interface shorewall setup with one side on a >> 192.168.0.0 network while the other is connected to the Internet >> via a cable modem. >> >> There's a Win10 machine on the internal network that appears to be >> sending out snmp requests to the network printer, and I can't >> understand why shorewall is rejecting them. >> >> Dec 20 19:50:43 orion kernel: Shorewall:FORWARD:REJECT:IN=eth1 >> OUT=eth1 MAC=0c:c4:7a:a9:18:df:52:54:00:52:6b:61:08:00 >> SRC=192.168.1.18 DST=192.168.1.104 LEN=106 TOS=0x00 PREC=0x00 >> TTL=127 ID=17640 PROTO=UDP SPT=50731 DPT=161 LEN=86 >> >> In my policy file I have allowed internal to internal >> communications: >> >> int int ACCEPT >> >> I've also checked to make sure there aren't any explicit rules to >> block port 161 or snmp. >> >> Does anyone have any idea what could be causing this, or how I can >> troubleshoot it further? How do I identify which rule is causing >> this to be rejected? >> > The first question is "Why does 192.168.1.18 think it needs to route > packets to 192.168.1.104 through your Shorewall router?". It can > obviously send them directly on the local LAN. I assume that is > because 192.168.1.18 has the wrong netmask configured - a netmask that > makes it look like 192.168.1.104 is not on its local network". > > The reason that the Shorewall-generated ruleset is blocking the > traffic is that you haven't specified 'routeback' in the eth1 entry in > /etc/shorewall/interfaces. This is made clear in Shorewall FAQ 17. > > - -Tom > - -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJYWevPAAoJEJbms/JCOk0QjioP/1kBMnOcTX8+RwST8DM+j2Q0 > FO+DhSrwi/HgdSaq++X7F330IiAu1sMyde3Bmmw06nMevKYuvyP6zdvDdNqTDa4K > SEf2GmZcl99sddKuyXwbC+6roc4l2W7eJKDLj6ClyW+ilnhRAkhsb2ndu6TMz+bm > V/b6QrHAxmzckR+DLgsGp50gWFrxkUhU7xoUtZXSRzIw7xZYRWNsAU4P14noVhwV > /nS+r/t2hXeIRMSMPPwKSh41G2+HvWsgTWk3jNEUw1lszD0wB8HJ400QPxXGC3jl > 3el1Ms1n4zbF/LR4ZG6hud7EoW4uCTKQbFfhyHEWN88KiyUpX/PFF0w5aMPcXzup > NJnpj2a87rAIhV9ATEU+Ax8pKmTKMmScgp4V+LkzEsyEbUwoP43KaNvEYtn6RCiX > 2JYc9bOrnRw3CS3BGSckeK9z8AcyWTtKXVkUYjWdDXIK6THtiLioVRYEuPaSA/v9 > S3L35y5MFCHvN2Cv+vq9HpVDjX2vBuymsNYmS6SoIAMTRL6Dk4kOo3MPVCazsgoB > pLZwVQbMbhZZCXeFqJUMUW5fAtPmJsywkVO/ZUqi3fhPyDFpEPFy9nW9eeZaLtV+ > A1lDCc5DvdaKkqpA4ArTjNkCE9NGqINrazJ0UnKWKArQoJzpq+SuKOYQpx/NWZeq > KuWKwhJqqFiNCMWKuTZI > =CMJG > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today.http://sdm.link/intel > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
