On Sat, Feb 16, 2019 at 6:17 PM Tom Eastep <teas...@shorewall.net> wrote: > But the routing is very different! The Shorewall box won't route (l343) > between ports on a bridge, so unless you change the routing on all of > the VLAN hosts, communication between hosts in lan0 and the other lan* > zones will be impossible. Not to mention that the MAC address of lanbr > changes when you activate configuration 2.
I reviewed my policy file to find out that I had set to DROP traffic from lan0 to lan. That might explain why hosts behind enp10s0 would sometimes fail to communicate with **each other**. However, I don't see why a ping from $FW to a host behind enp10s0 (eg. host with IP addr. 10.215.144.48) would have a 50% packet loss ($FW->lan ACCEPT policy). The shorewall dump even shows the following entry in the ARP table (when pinging from $FW to a host in the lan zone with IP addr. 10.215.144.48): ? (10.215.144.48) at 00:01:6c:d5:b8:76 [ether] on lanbr At the time of failure I didn't check the lan host's arp table, but if it was replying (with 50% failure) then I'm guessing it was updated with lanbr's MAC address. >From your comment "the MAC address of lanbr changes when you activate configuration 2" I understand there's been a mix-up. The lanbr in Configuration 1 is just a test bridge on another NIC (enp8s5). This "test NIC" has been removed in Configuration 2. The lanbr in Configuration 2 is the same as enp10s0 in Configuration 1 except that it's in bridge mode and has vlans defined. The MAC address is identical in both Configurations 1 and 2. I can confirm that under "IP stats" in the shorewall dumps of Configurations 1 and 2. So, coming back to my ping issue between $FW and the lan host at 10.215.144.48, the Shorewall box's lan interface MAC address would not have changed when switching from Configuration 1 to Configuration 2. So no ARP cache issues. The reason why I was stating in my previous message that basically the only big difference between Configuration 1 and 2 is the lan bridge is because the only truly active NIC change is: enp10s0 in Config 1 -> bridge of enp10s0 vlans in Config 2 (the same "lanbr" name was used between Configs, and it seems to have been misleading) Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
