On 2/15/19 1:47 AM, Vieri Di Paola wrote: > Hi, > > I tried once again my vlan-bridged setup today, but it was a complete fiasco. > > Configuration 2 was loaded at around 07:45:44, and Configuration 1 was > restored shortly after 8am (08:04:56). > While Configuration 1 seems to "work fine", Configuration 2 however > seems to be "poisoning" LAN traffic in the sense that it even affects > intra-LAN traffic (in the "lan" zone) which should not or does not > need to flow through the Shorewall firewall (ie. it affects a lan zone > host A pinging another lan zone host B). > Reverting to Configuratin 1 or simply disconnecting the Shorewall > box's lan interface clears the issue out. > So I have a feeling there's something wrong with the initerface > configured as a bridge. > Please note however that in Configuration 1 I have two interfaces in > bridge mode (dmz and lanx). Both seem to be behaving as expected, but > on the other hand there are much less hosts involved there so I'm not > 100% sure everythng is really flawless. At least for now, pinging a > host behind the dmzbr interface from $FW seems to work fine (no packet > loss). Same results when pinging from a lan zone host to the same host > behind dmzbr. > > As seen in the log below the FORWARD:REJECT messages only appear at > 08:02:45, but the ping havoc started as soon as Configuration 2 was > loaded (07:46). It might also be because I added the routeback option > to both IF_CAIB and IF_IBS. > Before that I see a lot of DROPped packets regarding NetBIOS (UDP 137, > 138), but I believe that should not have anything to do with my ping > failures (also, the dropped packets are between lan0-lan1, lan0-lan13, > etc. zones which is OK according to my rules or policy). > > Here's my shorewall log file taken while Configuration 2 was applied: > > https://drive.google.com/open?id=1wsjU8N9-3_luMQrO8dOqiMAno456Fnz6 > > Here's a shorewall dump taken while there was heavy packet loss, eg. > between $FW and lan host with IP addr. 10.215.144.48, but also from > lan host with IP addr. 10.215.144.42 to $FW, etc. As stated earlier > intra-LAN communication is also heavily affected. > > https://drive.google.com/open?id=1sqBjjxJhp_ZEPv22Hwm-s0wFXO3ccTRs > > I can't afford applying Configuration 2 for a third time without some > major config changes, or a way to trace the problem. If only I could > reproduce the issue on my dmzbr interface on my working config > (Configuration 1)... > I am willing to send all my Shorewall config files if they can be of any use. > Please note that I placed a very permissive rule just to make sure I > wouldn't get unwanted dropped packets: > > ACCEPT lan0,lan1 $FW,caib,ibs,wan,dmz all > > The ping failures involve hosts within lan0 and lan. > > What could I try next? >
In Configuration 1, hosts connected through enp10s0 needed to forward traffic to the enp5s0 VLANs through the firewall. Do they have entries in their routing tables for such forwarding. From the log, this appears to be the case. Similarly, hosts connecting through the VLANs had to forward traffic through the firewall to reach hosts on enp10s0. They appear to still be trying to do that, because I see ethernet frames addressed to the firewall's L2 address with destination IP addresses that are not local to the firewall. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
