From: Vieri Di Paola via Shorewall-users <shorewall-users@lists.sourceforge.net>

> So if I wanted to avoid using proxy arp on the WAN interface, and since the 
> bulk is 

> really on the LAN interface then I could change gw1's enp11s0 IP settings to 
> with a 

> route for via


I changed the network configuration in my gw1 shorewall gateway, and removed 
proxyarp=1 in fw2 as in the setup described earlier:

Internet providers --- gw1 ( --- fw2 --- lan

Traffic from lan to wan is OK now, so the issue is solved.

However, there's still just one last thing that I'd like to deal with.

I tried to ping from gw1 to fw2 but failed. A tcpdump on fw2 shows that the 
ping request source IP address is It's being blocked by fw2's 
shorewall rules. I could allow this traffic, but I'd rather keep the ACCEPT 
rule from wan: to $FW alone.
I thought I only needed to masquerade on gw1's lan interface.

Here's what I did in gw1's snat file:


The params file contains:


However, pings still fail for the same reason.

A tcpdump on fw2 shows requests such as:

10:50:08.948027 IP > ICMP echo request, id 26579, seq 
8, length 64

I'm trying to masq them as " >".

I'm sending a link to gw1's dump while trying to ping (fw2) from 
gw1 (it actually succeeds because I added the allow rule for to fw2):


In short, I'd like any application running on gw1 (ping, curl, ssh, links, 
wget, etc.) to access fw2 with source address by default instead 

Any idea where my mistake is?



Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to