Here's an update on my test network setup.
shorewall box with lanbr bridge on one NIC over multiple VLANs
(management IP addr. 192.168.215.1)
|
Port 1
UniFi Switch (management IP addr. 192.168.215.1)
Port 2 - Host 1 (IP addr. 192.168.215.101)
Port 3 - Host 2 (IP addr. 192.168.215.102)
I ran the following commands when hosts 1, 2 and the Shorewall box
cannot ping each other properly.
On Shorewall box:
# brctl show
bridge name bridge id STP enabled interfaces
dmzbr 8000.6805ca116430 no enp5s0
enp5s0.1
enp5s0.11
lanbr 8000.00e3c05f815d no enp5s0.12
enp8s5
enp8s5.1
enp8s5.12
enp8s5.13
enp8s5.14
enp8s5.15
# brctl showstp lanbr
lanbr
bridge id 8000.00e3c05f815d
designated root 8000.00e3c05f815d
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 10.00 bridge hello time 10.00
forward delay 0.00 bridge forward delay 0.00
ageing time 300.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 165.76
flags
enp5s0.12 (2)
port id 8002 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5 (1)
port id 8001 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.1 (3)
port id 8003 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8003 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.12 (4)
port id 8004 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8004 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.13 (5)
port id 8005 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8005 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.14 (6)
port id 8006 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8006 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.15 (7)
port id 8007 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8007 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
Unfortunately, on the UniFi switch I can't seem to get any info from brctl:
# brctl show
bridge name bridge id STP enabled interfaces
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: sit0: <NOARP> mtu 1280 qdisc noop state DOWN group default
link/sit 0.0.0.0 brd 0.0.0.0
3: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN group default
link/tunnel6 :: brd ::
4: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP,LOWER_UP> mtu 1500
qdisc pfifo_fast state UNKNOWN group default qlen 500
link/ether b4:fb:e4:1d:36:57 brd ff:ff:ff:ff:ff:ff
inet 192.168.215.75/24 brd 192.168.215.255 scope global eth0
inet6 fe80::b6fb:e4ff:fe1d:3657/64 scope link
valid_lft forever preferred_lft forever
So I decided to enable STP on the Shorewall box with
# brctl show
bridge name bridge id STP enabled interfaces
dmzbr 8000.6805ca116430 no enp5s0
enp5s0.1
enp5s0.11
lanbr 8000.00e3c05f815d yes enp5s0.12
enp8s5
enp8s5.1
enp8s5.12
enp8s5.13
enp8s5.14
enp8s5.15
The "showstp" command seems to yield the same output:
# brctl showstp lanbr
lanbr
bridge id 8000.00e3c05f815d
designated root 8000.00e3c05f815d
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 10.00 bridge hello time 10.00
forward delay 2.00 bridge forward delay 2.00
ageing time 300.00
hello timer 8.54 tcn timer 0.00
topology change timer 0.00 gc timer 162.54
flags
enp5s0.12 (2)
port id 8002 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5 (1)
port id 8001 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.1 (3)
port id 8003 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8003 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.12 (4)
port id 8004 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8004 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.13 (5)
port id 8005 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8005 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.14 (6)
port id 8006 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8006 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
enp8s5.15 (7)
port id 8007 state forwarding
designated root 8000.00e3c05f815d path cost 4
designated bridge 8000.00e3c05f815d message age timer 0.00
designated port 8007 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
The issues found are exactly the same.
I also tried disabling STP on both the UniFi switch and the shorewall
box. Still the same issues.
So I decided to remove the UniFi switch from the network topology to
make things simpler:
The shorewall box's enp8s5 (lanbr) nic, host 1 and host 2 are all
connected to a simple unmanaged switch. Whether I enable or not STP on
the shorewall's lanbr bridge I still get exactly the same behavior.
Here's a tcpdump taken on lanbr while pinging between all 3 hosts.
There's no trace of STP, but I'm still getting major ICMP packet loss.
https://drive.google.com/file/d/1yJfSvyu8trYLXwiPKIa4yuXeNwBFtsnW/view?usp=sharing
Basically, pinging between hosts 1 and 2 works fine until I connect my
shorewall box.
I have no clue of what's going on here. If noone has anything to
suggest then I'll have to ditch Linux VLAN bridges and find another
network topology that can work for me.
Thanks,
Vieri
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
