Vieri Di Paola <vieridipa...@gmail.com> wrote: > My configuration is driving me bonkers. It's a bit complex, but I've > isolated the failing behavior (I can reproduce it). Here's an overview > of what happens: > > I have 3 switch ports configured to allow all traffic (no vlan > restrictions).
> The shorewall NIC is a Linux bridge of vlan interfaces. There's > obviously something dead wrong with my network configuration on the > shorewall box, but I can't seem to figure out what it is. I'm not so sure it's the Shorewall box. > I ran tcpdump on the bridge interface during the failure, and could > see lines such as: > ARP, Request who-has 192.168.215.1 tell 192.168.215.102, length 46 > ARP, Reply 192.168.215.1 is-at 00:e3:c0:5f:81:5d, length 28 > IP 192.168.215.101 > 192.168.215.102: ICMP echo request, id 1, seq > 28135, length 40 > > I'm guessing this ICMP request (line above) might not have a reply, > and that's what I'm seeing on hosts 1 and 2 (ping failures). I see STP (Spanning Tree) traffic in your dump, so one obvious question is how long you waited after plugging in the Shorewall device to the switch. With standard Spanning Tree, when you change network topology, it can interrupt network traffic for something like 30s or longer (IIRC it can be a couple of minutes - depends on how much the tree changes). You have a Linux bridge which defaults to running STP, and the network switch also probably is running STP - connect the two, there's a topology change, and it disrupts traffic for a while. It's interesting that you see traffic between the two hosts which should not be reaching the chorewall box - that suggests that the switch is doing something silly. Could it be that your Shorewall box is becoming the root bridge when you plug it in, and disrupting traffic for "a while" ? If you have not changed any bridge priorities, then they will all be at the default of 32768 and so the device with the lowest MAC address (which appears to be your Shorewall box) will win the election. I note that in the packet dump, the Shorewall box is seeing unicast traffic that it should not be seeing : > 192.168.215.101 > 192.168.215.102: ICMP echo request That in itself is a sign that there's something wrong with packet routing at L2 - that packet should not have gone out of the port the Shorewall box is connected to. My guess (note, guess) is that the switch is going through an intermediate stage as the tree re-configures. I don't know your background/skills, but I've found that some even quite advanced network engineers don't understand STP - or even think to configure it. At my last job, I took over management of a campus network on a science park. No STP had been configured, and it turned out that a client's switch had taken on the role of root ! Also, the switches (all Cisco of early nauties vintage) had a limit of 64 trees - so some VLANs didn't have STP running at all. As it happens, there were no loops or redundant links so STP was redundant anyway. So one of the first things I did was set some priorities to set the root and backup root to make some sense - later I changed things to MSTP. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
