> OK, I'm seeing a very odd behavior here, but at least I can now easily > reproduce the issue. > > I have a test host with IP address 192.168.215.200 pinging continously > the Shorewall FW at 192.168.215.1. > At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5 > on the FW is connected to Switch Port VLAN 11 tagged + 12 tagged + 1 > tagged). It gets the ICMP replies just fine, as expected according to > my Shorewall rules. > > I've captured dumps and traces while this was happening (I can see > traffic on VLAN 11, nothing on VLAN 12 which is OK): > > SW DUMP: > https://drive.google.com/open?id=1_wLPvrowWGE4CPFYMQSzqxz0_FvZXm4q > SW TRACE: > https://drive.google.com/open?id=1AXzSDhBTN62veUPYjzVxgddPEBdY1Amy > > I then disconnected the test host's ethernet cable from the Switch and > plugged it into another port on the same Switch but with VLAN ID 12 > Untagged. > The test host keeps pinging FW at 192.168.215.1 successfully when it > SHOULDN'T because of my Shorewall rules and policies. > A tcpdump on the enp8s5_12 interface shows VLAN 12 traffic and ICMP > requests/replies. > A tcpdump on the enp8s5_11 interface shows that there's no more VLAN 11 > traffic. > > I grabbed a SW dump, SW trace and a tcpdump: > > TCPDUMP on enp8s5_12: > https://drive.google.com/open?id=1JVSOMNsXmPA1gKaVhYguZr0VmKzwSOER > TCPDUMP on enp8s5: > https://drive.google.com/open?id=1pxyuMP6lynquB_BEks56HzjPqeWg-J6U > SW DUMP: > https://drive.google.com/open?id=1donyBraZpwKSyNG4w75LGkfPvlwgf3B9 > SW TRACE: > https://drive.google.com/open?id=1eFYjF9HPi144uzl2Y_oDZxtMCDq4fSog > > The test host is a Windows 10 laptop. Disconnecting its ethernet cable > and putting it back in did not change anything. However, I noticed > that if I put the laptop in sleep mode and woke it up again after AT > LEAST 30 seconds, traffic behavior would finally be "as expected", ie. > the test host would fail pinging the FW.
I can't follow you here with all the details and dumps... It just sounds to me like it has something to do with ARP caches, on a switch, on a host, on a router? Or even more fun, host routes generated through ICMP redirect messages? Regards, Simon _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
