Try using different netmasks. for example:
201.10.10.10 with netmask 255.255.255.0
and
201.10.10.11 with netmask 255.255.255.255
This solves what I could call the routing ambiguity problem:
if a packet is sent to 201.10.10.12, which interface should be used?
with the cofig above, there is no ambiguity and the packet is sent through
the interface associated with the first address.
note that using two addresses with the same netmask in the same network,
i.e.
formally this means configurations with (addr1, mask1) and (addr2, mask2)
where
addr1 != addr2, mask1=mask2 and (addr1 & mask1) = (addr2 & mask1)
are generally disallowed by the OS (As far as I know, this is the case in
BSD systems).
normally, the OS should allow the config shown at the top (i.e. with
different masks).
if your FW disallows such config, complain to your vendor.
if the config is allowed, check that the automatically generated
anti-spoofing rules do not reject
authorized packets (This dependson how the rules are generated).
cordially,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
