Re: [Shorewall-users] Cannot ping between hosts in the same zone but with different netmasks

Vieri Di Paola Thu, 09 Jul 2020 16:02:11 -0700

On Thu, Jul 9, 2020 at 8:39 PM Tom Eastep <teas...@shorewall.net> wrote:
>
> Do you see each packet twice (once inbound and once outbound)?


When the ICMP request/reply succeeds (it's the case of most hosts)
then yes, the requests and replies are duplicated as in this dump:

 # tcpdump -n -i lan.1  host 10.215.246.24 and host 10.215.144.48 and icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan.1, link-type EN10MB (Ethernet), capture size 262144 bytes
00:52:22.403575 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 57089, length 40
00:52:22.403608 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 57089, length 40
00:52:22.403847 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 57089, length 40
00:52:22.403880 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 57089, length 40
00:52:23.397689 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 57345, length 40
00:52:23.397723 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 57345, length 40
00:52:23.398006 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 57345, length 40
00:52:23.398043 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 57345, length 40
00:52:24.397645 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 57601, length 40
00:52:24.397676 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 57601, length 40
00:52:24.397963 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 57601, length 40
00:52:24.397999 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 57601, length 40
00:52:25.397765 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 57857, length 40
00:52:25.397784 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 57857, length 40
00:52:25.398095 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 57857, length 40
00:52:25.398122 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 57857, length 40
00:52:26.397606 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 58113, length 40
00:52:26.397631 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 58113, length 40
00:52:26.397914 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 58113, length 40
00:52:26.397950 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 58113, length 40
00:52:27.397666 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 58369, length 40
00:52:27.397696 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 58369, length 40
00:52:27.397957 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 58369, length 40
00:52:27.397992 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 58369, length 40
00:52:28.397652 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 58625, length 40
00:52:28.397687 IP 10.215.246.24 > 10.215.144.48: ICMP echo request,
id 512, seq 58625, length 40
00:52:28.397985 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 58625, length 40
00:52:28.398019 IP 10.215.144.48 > 10.215.246.24: ICMP echo reply, id
512, seq 58625, length 40

For the "failing ping", I now see this dump (in my previous post, I
wasn't seeing any replies at all, only requests and not even
duplicated -- beats me):

# tcpdump -n -i lan.1 host 10.215.246.24 and host 10.215.144.251 and icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan.1, link-type EN10MB (Ethernet), capture size 262144 bytes
00:55:18.397038 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 60161, length 40
00:55:18.397079 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 60161, length 40
00:55:18.397202 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id
512, seq 60161, length 40
00:55:23.896969 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 60417, length 40
00:55:23.897007 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 60417, length 40
00:55:23.897177 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id
512, seq 60417, length 40
00:55:29.397134 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 60673, length 40
00:55:29.397170 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 60673, length 40
00:55:29.397337 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id
512, seq 60673, length 40
00:55:34.896823 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 60929, length 40
00:55:34.896859 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 60929, length 40
00:55:34.897084 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id
512, seq 60929, length 40
00:55:40.396974 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 61185, length 40
00:55:40.397012 IP 10.215.246.24 > 10.215.144.251: ICMP echo request,
id 512, seq 61185, length 40
00:55:40.397148 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id
512, seq 61185, length 40

The host with IP addr. 10.215.246.24 is reporting that ping is failing.

Vieri


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Cannot ping between hosts in the same zone but with different netmasks

Reply via email to