Re: [Shorewall-users] traffic issues through firewall router

Tom Eastep Fri, 04 Aug 2017 08:22:05 -0700

On 08/04/2017 04:28 AM, Vieri Di Paola via Shorewall-users wrote:
> 
> ________________________________
> From: Tom Eastep <teas...@shorewall.net>
>>
>> A current dump of fw1 might shed some light on that...
> 
> 
> Just to clear things up a little, here's the current network:
> 
> providers --- gw1 (shorewall gateway) --- fw{1,2} (shorewall firewall router) 
> 
> where 
> - fw1 was the "old" firewall
> - fw2 is the new firewall with proxyarp=1 as I explained in my previous e-mail
> - gw1 is the "other" shorewall system connected to the internet providers
> 
> I'm sending shorewall dumps of both gw1 and fw2 in the following links.
> 
> https://drive.google.com/file/d/0B-tpkY1LkI67QTFqVVFzSWZiNlE/view?usp=sharing
> https://drive.google.com/file/d/0B-tpkY1LkI67YmVOVHdBUGtHd2M/view?usp=sharing
>


Here is the main routing table on gw1:

Table main:

192.168.92.1 dev enp9s4 scope link src 192.168.92.2
192.168.102.1 dev enp9s7 scope link src 192.168.102.2
192.168.101.1 dev enp9s6 scope link src 192.168.101.2
192.168.100.1 dev enp9s5 scope link src 192.168.100.2
172.16.0.0/28 dev enp11s0 proto kernel scope link src 172.16.0.2
192.168.92.0/24 dev enp9s4 proto kernel scope link src 192.168.92.2
192.168.212.0/24 via 172.16.0.1 dev enp11s0 metric 8
192.168.147.0/24 dev enp11s0 scope link
192.168.102.0/24 dev enp9s7 proto kernel scope link src 192.168.102.2
192.168.101.0/24 dev enp9s6 proto kernel scope link src 192.168.101.2
192.168.100.0/24 dev enp9s5 proto kernel scope link src 192.168.100.2
192.168.210.0/23 via 172.16.0.1 dev enp11s0 metric 8
192.168.228.0/22 dev enp5s0 proto kernel scope link src 192.168.228.1
10.215.0.0/16 dev enp11s0 proto kernel scope link src 10.215.144.92

Note the last route. It assumes that the entire 10.215.0.0/16 network is
directly attached to enp11s0.

Here is the main table on fw2:

Table main:

172.28.17.110 dev enp7s0f2 scope link src 172.28.17.105
172.20.11.49 dev enp7s0f3 scope link src 172.20.11.62
172.16.0.2 dev enp6s0 scope link src 172.16.0.1
10.215.248.68 dev enp5s0 scope link
10.215.248.34 dev enp5s0 scope link
10.215.248.241 dev enp5s0 scope link
10.215.248.229 dev enp5s0 scope link
10.215.248.204 dev enp5s0 scope link
10.215.248.126 dev enp5s0 scope link
10.215.247.231 dev enp5s0 scope link
10.215.247.225 dev enp5s0 scope link
10.215.247.195 dev enp5s0 scope link
10.215.246.76 dev enp6s0 scope link
10.215.246.75 dev enp6s0 scope link
10.215.246.72 dev enp6s0 scope link
10.215.246.70 dev enp6s0 scope link
10.215.246.206 dev enp5s0 scope link
10.215.246.205 dev enp5s0 scope link
10.215.246.173 dev enp5s0 scope link
10.215.246.172 dev enp5s0 scope link
10.215.246.169 dev enp5s0 scope link
10.215.246.168 dev enp5s0 scope link
10.215.246.166 dev enp5s0 scope link
10.215.246.165 dev enp5s0 scope link
10.215.246.164 dev enp5s0 scope link
10.215.246.163 dev enp5s0 scope link
10.215.246.161 dev enp5s0 scope link
10.215.246.160 dev enp5s0 scope link
10.215.246.159 dev enp5s0 scope link
10.215.246.158 dev enp5s0 scope link
10.215.246.157 dev enp5s0 scope link
10.215.147.62 via 192.168.210.1 dev enp5s0 metric 2
10.215.147.61 via 172.16.0.1 dev enp6s0 metric 3
10.215.145.58 dev enp5s0 scope link
10.215.145.163 dev enp5s0 scope link
10.215.145.160 dev enp5s0 scope link
10.215.144.92 via 172.16.0.2 dev enp6s0 metric 3
10.215.144.90 via 172.16.0.2 dev enp6s0 metric 3
10.215.144.86 dev enp5s0 scope link
10.215.144.64 dev enp5s0 scope link
10.215.144.254 dev enp5s0 scope link
10.215.144.201 dev enp5s0 scope link
172.28.17.104/29 dev enp7s0f2 proto kernel scope link src 172.28.17.105
172.20.11.48/28 dev enp7s0f3 proto kernel scope link src 172.20.11.62
172.16.0.0/28 dev enp6s0 proto kernel scope link src 172.16.0.1
192.168.147.0/27 dev tun147 proto kernel scope link src 192.168.147.1
192.168.251.0/24 via 10.215.147.115 dev enp10s0 metric 1
192.168.250.0/24 via 10.215.147.115 dev enp10s0 metric 1
192.168.212.0/24 dev enp5s0 proto kernel scope link src 192.168.212.1
192.168.146.0/24 dev tun146 proto kernel scope link src 192.168.146.1
192.168.144.0/24 dev enp10s0 proto kernel scope link src 192.168.144.91
10.215.248.0/24 dev enp10s0 proto kernel scope link src 10.215.144.91
metric 1
192.168.210.0/23 dev enp5s0 proto kernel scope link src 192.168.210.1
10.215.246.0/23 dev enp10s0 proto kernel scope link src 10.215.144.91
metric 1
192.168.148.0/22 dev tun148 proto kernel scope link src 192.168.148.1
10.215.144.0/22 dev enp10s0 proto kernel scope link src 10.215.144.91
metric 1

The WAN interface that is connected to gw1 is enp6s0 which only has
routes to a handful of 10.215.0.0/16 hosts. The bulk 10.215.0.0/16 is
connected to the LAN interface (enp10s0). Consequently, enp6s0 must
proxy ARP requests for 10.215.x.x.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] traffic issues through firewall router

Reply via email to