Hi,
In my LAN I have two networks on the same physical infrastructure (no VLAN): 10.215.0.0/16 and 192.168.200.0/24 The LAN interface on Shorewall firewall/gateway has proxy_arp enabled for some cases, but it seems to be initerfering with ARP requests. This is what I see on the Shorewall box when two hosts in 192.168.200.0 try to ping each other: 12:16:54.954199 ARP, Request who-has 192.168.200.21 (30:85:a9:8e:b9:a0) tell 192.168.200.249, length 46 12:16:54.954219 ARP, Reply 192.168.200.21 is-at 30:85:a9:8e:b9:a0, length 28 The problem is that 30:85:a9:8e:b9:a0 is Shorewall's LAN interface MAC, not the MAC of the host at 192.168.200.21. I tried to add static ARP entries for the LAN interface on the Shorewall system (arp -i ... -s ...), but the "is-at" replies were still the same. Removing proxy_arp on Shorewall's LAN interface solves the issue but opens others. What can I try? Can I avoid replying ARP requests for 192.168.200.0/24 only? # ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 68:05:ca:11:64:30 brd ff:ff:ff:ff:ff:ff inet 192.168.210.1/23 brd 192.168.211.255 scope global enp5s0 valid_lft forever preferred_lft forever inet 192.168.212.1/24 brd 192.168.212.255 scope global enp5s0 valid_lft forever preferred_lft forever inet6 fe80::6a05:caff:fe11:6430/64 scope link valid_lft forever preferred_lft forever 3: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 68:05:ca:10:c3:b7 brd ff:ff:ff:ff:ff:ff inet 172.16.0.1/28 brd 172.16.0.15 scope global enp6s0 valid_lft forever preferred_lft forever inet6 fe80::6a05:caff:fe10:c3b7/64 scope link valid_lft forever preferred_lft forever 4: enp7s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether e8:ea:6a:0c:4c:1c brd ff:ff:ff:ff:ff:ff 5: enp7s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether e8:ea:6a:0c:4c:1d brd ff:ff:ff:ff:ff:ff 6: enp7s0f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether e8:ea:6a:0c:4c:1e brd ff:ff:ff:ff:ff:ff inet 172.28.17.105/29 brd 172.28.17.111 scope global enp7s0f2 valid_lft forever preferred_lft forever inet6 fe80::eaea:6aff:fe0c:4c1e/64 scope link valid_lft forever preferred_lft forever 7: enp7s0f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether e8:ea:6a:0c:4c:1f brd ff:ff:ff:ff:ff:ff inet 172.20.11.62/28 brd 172.20.11.63 scope global enp7s0f3 valid_lft forever preferred_lft forever inet6 fe80::eaea:6aff:fe0c:4c1f/64 scope link valid_lft forever preferred_lft forever 8: enp8s5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff 9: enp10s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 30:85:a9:8e:b9:a0 brd ff:ff:ff:ff:ff:ff inet 10.215.144.91/32 scope global enp10s0 valid_lft forever preferred_lft forever inet 10.215.144.6/32 scope global enp10s0 valid_lft forever preferred_lft forever inet 10.215.246.91/32 scope global enp10s0 valid_lft forever preferred_lft forever inet 192.168.144.91/24 brd 192.168.144.255 scope global enp10s0 valid_lft forever preferred_lft forever inet 10.215.145.241/32 scope global enp10s0 valid_lft forever preferred_lft forever inet 10.215.145.242/32 scope global enp10s0 valid_lft forever preferred_lft forever inet 10.215.145.81/32 scope global enp10s0 valid_lft forever preferred_lft forever inet6 fe80::3285:a9ff:fe8e:b9a0/64 scope link valid_lft forever preferred_lft forever 26: tun148: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 192.168.148.1/22 brd 192.168.151.255 scope global tun148 valid_lft forever preferred_lft forever inet6 fe80::e00e:1aef:f904:bc06/64 scope link flags 800 valid_lft forever preferred_lft forever 27: tun146: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 192.168.146.1/24 brd 192.168.146.255 scope global tun146 valid_lft forever preferred_lft forever inet6 fe80::2cb6:e903:de8f:e12a/64 scope link flags 800 valid_lft forever preferred_lft forever 28: tun147: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 192.168.147.1/27 brd 192.168.147.31 scope global tun147 valid_lft forever preferred_lft forever inet6 fe80::ac5f:bf46:8407:a3d7/64 scope link flags 800 valid_lft forever preferred_lft forever Thanks, Vieri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
