This isn't a "Shorewall" issue. It's an "IP ROUTING" issue.
Look at my last response. Bill On Mon, Jan 24, 2022 at 6:37 PM Vieri Di Paola <vieridipa...@gmail.com> wrote: > In the failing scenario where a host in vlan 1 with IP addr. > 10.215.111.210 cannot ping a host in vlan 18 with IP addr. > 10.215.144.251 this is what I see on the SW FW: > > # tcpdump -n -i lan -e vlan and host 10.215.144.251 > dropped privs to pcap > tcpdump: verbose output suppressed, use -v[v]... for full protocol decode > listening on lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes > 00:01:27.495068 9c:7b:ef:b7:7a:a1 > b8:59:9f:cc:bb:5c, ethertype > 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4 (0x0800), > 10.215.111.210 > 10.215.144.251: ICMP echo request, id 1, seq 3845, > length 40 > 00:01:27.495095 b8:59:9f:cc:bb:5c > 94:40:c9:26:dc:80, ethertype > 802.1Q (0x8100), length 78: vlan 18, p 0, ethertype IPv4 (0x0800), > 10.215.111.210 > 10.215.144.251: ICMP echo request, id 1, seq 3845, > length 40 > 00:01:27.495105 9c:7b:ef:b7:7a:a1 > ff:ff:ff:ff:ff:ff, ethertype > 802.1Q (0x8100), length 78: vlan 50, p 0, ethertype IPv4 (0x0800), > 10.215.111.210 > 10.215.144.251: ICMP echo request, id 1, seq 3845, > length 40 > 00:01:27.495293 94:40:c9:26:dc:80 > ac:1f:6b:f5:b7:1b, ethertype > 802.1Q (0x8100), length 78: vlan 18, p 0, ethertype IPv4 (0x0800), > 10.215.144.251 > 10.215.111.210: ICMP echo reply, id 1, seq 3845, > length 40 > > # ip a s lan.18 > 65: lan.18@lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > noqueue state UP group default qlen 1000 > link/ether b8:59:9f:cc:bb:5c brd ff:ff:ff:ff:ff:ff > inet 192.168.240.1/24 brd 192.168.240.255 scope global lan.18 > valid_lft forever preferred_lft forever > > # ip a s ext > 139: ext: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc > noqueue state UP group default qlen 1000 > link/ether ac:1f:6b:f5:b7:1b brd ff:ff:ff:ff:ff:ff > inet 192.168.170.1/24 brd 192.168.170.255 scope global ext > valid_lft forever preferred_lft forever > > # ip neigh list | grep 10.215.144.251 > 10.215.144.251 dev lan.18 lladdr 94:40:c9:26:dc:80 REACHABLE > > Ignore vlan 50 as it's just for port mirroring traffic to an IDS. > > So to sum it up: > - host with IP addr. 10.215.111.210 and MAC addr. 9c:7b:ef:b7:7a:a1 > sends a ping request which hits the FW's lan.18 interface with MAC > addr. b8:59:9f:cc:bb:5c > - the ICMP request is sent out to the MAC addr. 94:40:c9:26:dc:80 > which is that of the DST host with IP addr. 10.215.144.251 > - the ICMP reply comes back on the FW's vlan 18 interface and is sent > to 10.215.111.210 (SRC addr.) through MAC addr. ac:1f:6b:f5:b7:1b > - However, interface "ext" has nothing to do with vlan 1 so why are > the reply packets sent there? > > On the other hand, in the successful scenario where a host in vlan 1 > with IP addr. 10.215.111.210 can ping a host in vlan 18 with IP addr. > 10.215.144.129 this is what I see on the SW FW: > > # tcpdump -n -i lan -e vlan and host 10.215.144.129 > dropped privs to pcap > tcpdump: verbose output suppressed, use -v[v]... for full protocol decode > listening on lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes > 00:16:18.875974 9c:7b:ef:b7:7a:a1 > b8:59:9f:cc:bb:5c, ethertype > 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4 (0x0800), > 10.215.111.210 > 10.215.144.129: ICMP echo request, id 1, seq 4050, > length 40 > 00:16:18.875992 b8:59:9f:cc:bb:5c > 94:40:c9:26:e2:d2, ethertype > 802.1Q (0x8100), length 78: vlan 18, p 0, ethertype IPv4 (0x0800), > 10.215.111.210 > 10.215.144.129: ICMP echo request, id 1, seq 4050, > length 40 > 00:16:18.876005 9c:7b:ef:b7:7a:a1 > ff:ff:ff:ff:ff:ff, ethertype > 802.1Q (0x8100), length 78: vlan 50, p 0, ethertype IPv4 (0x0800), > 10.215.111.210 > 10.215.144.129: ICMP echo request, id 1, seq 4050, > length 40 > 00:16:18.876104 94:40:c9:26:e2:d2 > b8:59:9f:cc:bb:5c, ethertype > 802.1Q (0x8100), length 78: vlan 18, p 0, ethertype IPv4 (0x0800), > 10.215.144.129 > 10.215.111.210: ICMP echo reply, id 1, seq 4050, > length 40 > 00:16:18.876115 b8:59:9f:cc:bb:5c > 9c:7b:ef:b7:7a:a1, ethertype > 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4 (0x0800), > 10.215.144.129 > 10.215.111.210: ICMP echo reply, id 1, seq 4050, > length 40 > 00:16:18.876133 b8:59:9f:cc:bb:5c > ff:ff:ff:ff:ff:ff, ethertype > 802.1Q (0x8100), length 78: vlan 50, p 0, ethertype IPv4 (0x0800), > 10.215.144.129 > 10.215.111.210: ICMP echo reply, id 1, seq 4050, > length 40 > > # ip neigh list | grep 10.215.144.129 > 10.215.144.129 dev lan.18 lladdr 94:40:c9:26:e2:d2 REACHABLE > > Any ideas as to why I'm seeing this? > > Why is interface "ext" receiving the ICMP replies in the first case? > > This keeps happening even if I take the FW interface with MAC. addr. > ac:1f:6b:f5:b7:1b down. > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
