Hi, I tried once again my vlan-bridged setup today, but it was a complete fiasco.
Configuration 2 was loaded at around 07:45:44, and Configuration 1 was restored shortly after 8am (08:04:56). While Configuration 1 seems to "work fine", Configuration 2 however seems to be "poisoning" LAN traffic in the sense that it even affects intra-LAN traffic (in the "lan" zone) which should not or does not need to flow through the Shorewall firewall (ie. it affects a lan zone host A pinging another lan zone host B). Reverting to Configuratin 1 or simply disconnecting the Shorewall box's lan interface clears the issue out. So I have a feeling there's something wrong with the initerface configured as a bridge. Please note however that in Configuration 1 I have two interfaces in bridge mode (dmz and lanx). Both seem to be behaving as expected, but on the other hand there are much less hosts involved there so I'm not 100% sure everythng is really flawless. At least for now, pinging a host behind the dmzbr interface from $FW seems to work fine (no packet loss). Same results when pinging from a lan zone host to the same host behind dmzbr. As seen in the log below the FORWARD:REJECT messages only appear at 08:02:45, but the ping havoc started as soon as Configuration 2 was loaded (07:46). It might also be because I added the routeback option to both IF_CAIB and IF_IBS. Before that I see a lot of DROPped packets regarding NetBIOS (UDP 137, 138), but I believe that should not have anything to do with my ping failures (also, the dropped packets are between lan0-lan1, lan0-lan13, etc. zones which is OK according to my rules or policy). Here's my shorewall log file taken while Configuration 2 was applied: https://drive.google.com/open?id=1wsjU8N9-3_luMQrO8dOqiMAno456Fnz6 Here's a shorewall dump taken while there was heavy packet loss, eg. between $FW and lan host with IP addr. 10.215.144.48, but also from lan host with IP addr. 10.215.144.42 to $FW, etc. As stated earlier intra-LAN communication is also heavily affected. https://drive.google.com/open?id=1sqBjjxJhp_ZEPv22Hwm-s0wFXO3ccTRs I can't afford applying Configuration 2 for a third time without some major config changes, or a way to trace the problem. If only I could reproduce the issue on my dmzbr interface on my working config (Configuration 1)... I am willing to send all my Shorewall config files if they can be of any use. Please note that I placed a very permissive rule just to make sure I wouldn't get unwanted dropped packets: ACCEPT lan0,lan1 $FW,caib,ibs,wan,dmz all The ping failures involve hosts within lan0 and lan. What could I try next? Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
