On 05/04/2018 11:19 AM, Norman Henderson wrote: > Hello again Tom, After a busy week I got back to this and I have some > interesting data. After a bit more than 2 hours of monitoring, in > tcpdump I found the time that the first packets start to be directed > (inappropriately) via wlan1 to the address that was the original > destination, 10.1.0.252. > Around that time I found the following conntrack -E entries (readable > times added): > > 08:47:57 [1525420077.899523][DESTROY] udp 17 src=10.1.0.3 > dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40 > sport=5060 dport=5060 [ASSURED] delta-time=1423 > 08:48:14 [1525420094.949138] [NEW] udp 17 3607 src=10.1.0.3 > dst=10.1.0.252 sport=5060 dport=5060 [UNREPLIED] src=192.168.1.35 > dst=192.168.1.40 sport=5060 dport=5060 helper=sip > 08:48:39 [1525420119.414182][UPDATE] udp 17 3600 src=10.1.0.3 > dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40 > sport=5060 dport=5060 helper=sip > 08:48:39 [1525420119.414356][UPDATE] udp 17 3600 src=10.1.0.3 > dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40 > sport=5060 dport=5060 [ASSURED] helper=sip > 09:04:39 [1525421079.191758][DESTROY] udp 17 src=10.1.0.3 > dst=10.1.0.252 sport=5060 dport=5060 src=192.168.1.35 dst=192.168.1.40 > sport=5060 dport=5060 [ASSURED] delta-time=985 > 09:04:39 [1525421079.791446] [NEW] udp 17 3613 src=10.1.0.3 > dst=10.1.0.252 sport=5060 dport=5060 [UNREPLIED] src=192.168.1.35 > dst=10.1.0.3 sport=5060 dport=5060 helper=sip > Suddenly the DST address is different. > > The corresponding tcpdump data on vlan1 is: > 09:03:12.540129 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: REGISTER > sip:10.1.0.252 SIP/2.0 > 09:03:12.570423 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 200 OK > 09:03:14.969710 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP > 09:03:39.763456 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS > sip:10.1.0.252 SIP/2.0 > 09:03:39.790185 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504 > Server Time-out > 09:03:39.790307 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504 > Server Time-out > 09:03:39.790426 IP 10.1.0.252.5060 > 10.1.0.3.5060: SIP: SIP/2.0 504 > Server Time-out > 09:04:14.970098 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP > 09:04:39.791168 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS > sip:10.1.0.252 SIP/2.0 > 09:04:39.791424 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0 > 09:04:40.791264 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS > sip:10.1.0.252 SIP/2.0 > 09:04:40.791467 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0 > 09:04:41.790606 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS > sip:10.1.0.252 SIP/2.0 > 09:04:41.790809 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0 > 09:04:42.791197 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS > sip:10.1.0.252 SIP/2.0 > 09:04:42.791402 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0 > 09:04:43.790635 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS > sip:10.1.0.252 SIP/2.0 > 09:04:43.790846 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0 > 09:04:53.791447 IP 10.1.0.3.5060 > 10.1.0.252.5060: SIP: OPTIONS > sip:10.1.0.252 SIP/2.0 > Before and after that section, the addresses on vlan1 are always > 10.1.0.3 and 10.1.0.252 as they should be. > > I also was running tcpdump on wlan1: > (earlier entries are all between 192.168.1.40 and 192.168.1.35) > 09:04:14.970293 IP 192.168.1.40.5060 > 192.168.1.35.5060: SIP > 09:04:53.791704 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0 > 09:04:54.791616 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0 > 09:04:55.792774 IP 10.1.0.3.5060 > 192.168.1.35.5060: SIP: OPTIONS > sip:192.168.1.35:5060 <http://192.168.1.35:5060> SIP/2.0 > (subsequent entries are all from 10.1.0.3 to 192.168.1.35 without > responses) > > The most interesting part perhaps is syslog, including the output of > shorewall iptrace -p udp --destination-port 5060: > May 4 09:04:09 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on > wlan1 to 192.168.1.35 port 67 (xid=0x5104a2ea) > May 4 09:04:14 voyage3 kernel: [477354.231212] TRACE: > raw:PREROUTING:rule:13 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=31 TOS=0x00 PREC=0x60 > TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11 > May 4 09:04:14 voyage3 kernel: [477354.231243] TRACE: > raw:PREROUTING:policy:14 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=31 TOS=0x00 PREC=0x > 60 TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11 > May 4 09:04:14 voyage3 kernel: [477354.231267] TRACE: > mangle:PREROUTING:policy:1 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=31 TOS=0x00 PREC= > 0x60 TTL=64 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11 > May 4 09:04:14 voyage3 kernel: [477354.231297] TRACE: > mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=31 TOS=0x00 PRE > C=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11 > May 4 09:04:14 voyage3 kernel: [477354.231315] TRACE: > mangle:FORWARD:policy:2 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=31 TOS=0x00 P > REC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11 > May 4 09:04:14 voyage3 kernel: [477354.231332] TRACE: > filter:FORWARD:rule:1 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=31 TOS=0x00 PRE > C=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11 > May 4 09:04:14 voyage3 kernel: [477354.231353] TRACE: > filter:clean_frwd:rule:2 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=31 TOS=0x00 > PREC=0x60 TTL=63 ID=37212 PROTO=UDP SPT=5060 DPT=5060 LEN=11 > May 4 09:04:14 voyage3 kernel: [477354.231368] TRACE: > mangle:POSTROUTING:policy:1 IN= OUT=wlan1 SRC=10.1.0.3 > DST=192.168.1.35 LEN=31 TOS=0x00 PREC=0x60 TTL=63 ID=37212 PROTO=UDP > SPT=5060 DPT > =5060 LEN=11 > May 4 09:04:24 voyage3 dhclient[1664]: message repeated 3 times: [ > DHCPREQUEST of 192.168.1.40 on wlan1 to 192.168.1.35 port 67 > (xid=0x5104a2ea)] > May 4 09:04:34 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on > wlan1 to 255.255.255.255 port 67 (xid=0x5104a2ea) > May 4 09:04:39 voyage3 avahi-daemon[980]: Withdrawing address record > for 192.168.1.40 on wlan1. > May 4 09:04:39 voyage3 avahi-daemon[980]: Leaving mDNS multicast > group on interface wlan1.IPv4 with address 192.168.1.40. > May 4 09:04:39 voyage3 avahi-daemon[980]: Interface wlan1.IPv4 no > longer relevant for mDNS. > May 4 09:04:39 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to > 255.255.255.255 port 67 interval 3 (xid=0xd862dc03) > May 4 09:04:39 voyage3 kernel: [477379.054124] TRACE: > raw:PREROUTING:rule:13 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054148] TRACE: > raw:PREROUTING:policy:14 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054169] TRACE: > mangle:PREROUTING:policy:1 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054184] TRACE: > nat:PREROUTING:rule:1 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054224] TRACE: > mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054236] TRACE: > mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054248] TRACE: > filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054262] TRACE: > filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054276] TRACE: > filter:dynamic:return:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054288] TRACE: > filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054297] TRACE: > mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:39 voyage3 kernel: [477379.054306] TRACE: > nat:POSTROUTING:policy:3 IN= OUT=vlan1 SRC=10.1.0.3 DST=192.168.1.35 > LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37213 PROTO=UDP SPT=5060 DPT=5060 > LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054284] TRACE: > raw:PREROUTING:rule:13 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054308] TRACE: > raw:PREROUTING:policy:14 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054326] TRACE: > mangle:PREROUTING:policy:1 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054360] TRACE: > mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054373] TRACE: > mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054386] TRACE: > filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054400] TRACE: > filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054414] TRACE: > filter:dynamic:return:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054427] TRACE: > filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:40 voyage3 kernel: [477380.054437] TRACE: > mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37214 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 ntpd[2704]: Deleting interface #80 wlan1, > 192.168.1.40#123, interface stats: received=0, sent=15, dropped=0, > active_time=992 secs > May 4 09:04:41 voyage3 kernel: [477381.053708] TRACE: > raw:PREROUTING:rule:13 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053731] TRACE: > raw:PREROUTING:policy:14 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053750] TRACE: > mangle:PREROUTING:policy:1 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053783] TRACE: > mangle:FORWARD:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053795] TRACE: > mangle:FORWARD:policy:2 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053807] TRACE: > filter:FORWARD:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053821] TRACE: > filter:clean_frwd:rule:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053835] TRACE: > filter:dynamic:return:1 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053847] TRACE: > filter:clean_frwd:rule:4 IN=vlan1 OUT=vlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:41 voyage3 kernel: [477381.053856] TRACE: > mangle:POSTROUTING:policy:1 IN= OUT=vlan1 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37215 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:42 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to > 255.255.255.255 port 67 interval 8 (xid=0xd862dc03) > ... > similar > ... > May 4 09:04:50 voyage3 dhclient[1664]: DHCPDISCOVER on wlan1 to > 255.255.255.255 port 67 interval 9 (xid=0xd862dc03) > May 4 09:04:50 voyage3 dhclient[1664]: DHCPREQUEST of 192.168.1.40 on > wlan1 to 255.255.255.255 port 67 (xid=0x3dc62d8) > May 4 09:04:50 voyage3 dhclient[1664]: DHCPOFFER of 192.168.1.40 from > 192.168.1.35 > May 4 09:04:50 voyage3 dhclient[1664]: DHCPACK of 192.168.1.40 from > 192.168.1.35 > May 4 09:04:50 voyage3 systemd[1]: Reloading LSB: start Samba > SMB/CIFS daemon (smbd). > May 4 09:04:50 voyage3 smbd[4693]: * Reloading /etc/samba/smb.conf smbd > May 4 09:04:50 voyage3 smbd[4693]: ...done. > May 4 09:04:50 voyage3 systemd[1]: Reloaded LSB: start Samba SMB/CIFS > daemon (smbd). > May 4 09:04:50 voyage3 avahi-daemon[980]: Joining mDNS multicast > group on interface wlan1.IPv4 with address 192.168.1.40. > May 4 09:04:50 voyage3 avahi-daemon[980]: New relevant interface > wlan1.IPv4 for mDNS. > May 4 09:04:50 voyage3 avahi-daemon[980]: Registering new address > record for 192.168.1.40 on wlan1.IPv4. > May 4 09:04:50 voyage3 dhclient[1664]: bound to 192.168.1.40 -- > renewal in 30 seconds. > May 4 09:04:52 voyage3 ntpd[2704]: Listen normally on 81 wlan1 > 192.168.1.40:123 <http://192.168.1.40:123> > May 4 09:04:52 voyage3 ntpd[2704]: new interface(s) found: waking up > resolver > May 4 09:04:53 voyage3 kernel: [477393.055430] TRACE: > raw:PREROUTING:rule:13 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055460] TRACE: > raw:PREROUTING:policy:14 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055484] TRACE: > mangle:PREROUTING:policy:1 IN=vlan1 OUT= > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=10.1.0.252 LEN=545 TOS=0x00 PREC=0x60 TTL=64 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055509] TRACE: > mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055527] TRACE: > mangle:FORWARD:policy:2 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055544] TRACE: > filter:FORWARD:rule:1 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055566] TRACE: > filter:clean_frwd:rule:1 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055587] TRACE: > filter:dynamic:return:1 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055608] TRACE: > filter:clean_frwd:rule:5 IN=vlan1 OUT=wlan1 > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > May 4 09:04:53 voyage3 kernel: [477393.055622] TRACE: > mangle:POSTROUTING:policy:1 IN= OUT=wlan1 SRC=10.1.0.3 > DST=192.168.1.35 LEN=545 TOS=0x00 PREC=0x60 TTL=63 ID=37218 PROTO=UDP > SPT=5060 DPT=5060 LEN=525 > > So, what it looks like to me, is that the communications device fails > to respond to DHCP; avahi-daemon (which isn't relevant on this box) is > taking the interface down; the interface recovers, but > iptables/shorewall do not, unless and until I do a conntrack -F. > > On spec, I have done: systemctl disable/stop > avahi-daemon.service/.socket. I will be very interested in your > assessment. > > Best regards, Norm > Norm,
I believe that dhclient is taking the interface down. Once the interface is down, the route to 192.168.1.0/24 out of wlan1 is no longer available. I don't believe you have said which interface has the default route, but if it isn't wlan1 then when a new connection comes in, no SNAT/MASQUERADE will occur. When the interface comes back up, the conntrack entry created while the interface was down continues to be used. What is the output of 'shorewall show routing'? -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
