On 11/15/18 9:47 AM, Simon Matter wrote: >> OK, I'm seeing a very odd behavior here, but at least I can now easily >> reproduce the issue. >> >> I have a test host with IP address 192.168.215.200 pinging continously >> the Shorewall FW at 192.168.215.1. >> At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5 >> on the FW is connected to Switch Port VLAN 11 tagged + 12 tagged + 1 >> tagged). It gets the ICMP replies just fine, as expected according to >> my Shorewall rules. >> >> I've captured dumps and traces while this was happening (I can see >> traffic on VLAN 11, nothing on VLAN 12 which is OK): >> >> SW DUMP: >> https://drive.google.com/open?id=1_wLPvrowWGE4CPFYMQSzqxz0_FvZXm4q >> SW TRACE: >> https://drive.google.com/open?id=1AXzSDhBTN62veUPYjzVxgddPEBdY1Amy >> >> I then disconnected the test host's ethernet cable from the Switch and >> plugged it into another port on the same Switch but with VLAN ID 12 >> Untagged. >> The test host keeps pinging FW at 192.168.215.1 successfully when it >> SHOULDN'T because of my Shorewall rules and policies. >> A tcpdump on the enp8s5_12 interface shows VLAN 12 traffic and ICMP >> requests/replies. >> A tcpdump on the enp8s5_11 interface shows that there's no more VLAN 11 >> traffic. >> >> I grabbed a SW dump, SW trace and a tcpdump: >> >> TCPDUMP on enp8s5_12: >> https://drive.google.com/open?id=1JVSOMNsXmPA1gKaVhYguZr0VmKzwSOER >> TCPDUMP on enp8s5: >> https://drive.google.com/open?id=1pxyuMP6lynquB_BEks56HzjPqeWg-J6U >> SW DUMP: >> https://drive.google.com/open?id=1donyBraZpwKSyNG4w75LGkfPvlwgf3B9 >> SW TRACE: >> https://drive.google.com/open?id=1eFYjF9HPi144uzl2Y_oDZxtMCDq4fSog >> >> The test host is a Windows 10 laptop. Disconnecting its ethernet cable >> and putting it back in did not change anything. However, I noticed >> that if I put the laptop in sleep mode and woke it up again after AT >> LEAST 30 seconds, traffic behavior would finally be "as expected", ie. >> the test host would fail pinging the FW. > > I can't follow you here with all the details and dumps... > > It just sounds to me like it has something to do with ARP caches, on a > switch, on a host, on a router? > > Or even more fun, host routes generated through ICMP redirect messages? >
That's what I believe also. Vieri - Do I understand correctly that after you physically reconfigure, things settle down after some period of time and work properly (and stay working properly)? If so, I don't believe that there is anything here to worry about. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
