[Shorewall-users] Cannot ping between two hosts

Vieri Di Paola Mon, 24 Jan 2022 15:23:26 -0800

In the failing scenario where a host in vlan 1 with IP addr.
10.215.111.210 cannot ping a host in vlan 18 with IP addr.
10.215.144.251 this is what I see on the SW FW:


# tcpdump -n -i lan -e vlan and host 10.215.144.251
dropped privs to pcap
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:01:27.495068 9c:7b:ef:b7:7a:a1 > b8:59:9f:cc:bb:5c, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4 (0x0800),
10.215.111.210 > 10.215.144.251: ICMP echo request, id 1, seq 3845,
length 40
00:01:27.495095 b8:59:9f:cc:bb:5c > 94:40:c9:26:dc:80, ethertype
802.1Q (0x8100), length 78: vlan 18, p 0, ethertype IPv4 (0x0800),
10.215.111.210 > 10.215.144.251: ICMP echo request, id 1, seq 3845,
length 40
00:01:27.495105 9c:7b:ef:b7:7a:a1 > ff:ff:ff:ff:ff:ff, ethertype
802.1Q (0x8100), length 78: vlan 50, p 0, ethertype IPv4 (0x0800),
10.215.111.210 > 10.215.144.251: ICMP echo request, id 1, seq 3845,
length 40
00:01:27.495293 94:40:c9:26:dc:80 > ac:1f:6b:f5:b7:1b, ethertype
802.1Q (0x8100), length 78: vlan 18, p 0, ethertype IPv4 (0x0800),
10.215.144.251 > 10.215.111.210: ICMP echo reply, id 1, seq 3845,
length 40

# ip a s lan.18
65: lan.18@lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
    link/ether b8:59:9f:cc:bb:5c brd ff:ff:ff:ff:ff:ff
    inet 192.168.240.1/24 brd 192.168.240.255 scope global lan.18
       valid_lft forever preferred_lft forever

# ip a s ext
139: ext: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
    link/ether ac:1f:6b:f5:b7:1b brd ff:ff:ff:ff:ff:ff
    inet 192.168.170.1/24 brd 192.168.170.255 scope global ext
       valid_lft forever preferred_lft forever

# ip neigh list | grep 10.215.144.251
10.215.144.251 dev lan.18 lladdr 94:40:c9:26:dc:80 REACHABLE

Ignore vlan 50 as it's just for port mirroring traffic to an IDS.

So to sum it up:
- host with IP addr. 10.215.111.210 and MAC addr. 9c:7b:ef:b7:7a:a1
sends a ping request which hits the FW's lan.18 interface with MAC
addr. b8:59:9f:cc:bb:5c
- the ICMP request is sent out to the MAC addr. 94:40:c9:26:dc:80
which is that of the DST host with IP addr. 10.215.144.251
- the ICMP reply comes back on the FW's vlan 18 interface and is sent
to 10.215.111.210 (SRC addr.) through MAC addr. ac:1f:6b:f5:b7:1b
- However, interface "ext" has nothing to do with vlan 1 so why are
the reply packets sent there?

On the other hand, in the successful scenario where a host in vlan 1
with IP addr. 10.215.111.210 can ping a host in vlan 18 with IP addr.
10.215.144.129 this is what I see on the SW FW:

# tcpdump -n -i lan -e vlan and host 10.215.144.129
dropped privs to pcap
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:16:18.875974 9c:7b:ef:b7:7a:a1 > b8:59:9f:cc:bb:5c, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4 (0x0800),
10.215.111.210 > 10.215.144.129: ICMP echo request, id 1, seq 4050,
length 40
00:16:18.875992 b8:59:9f:cc:bb:5c > 94:40:c9:26:e2:d2, ethertype
802.1Q (0x8100), length 78: vlan 18, p 0, ethertype IPv4 (0x0800),
10.215.111.210 > 10.215.144.129: ICMP echo request, id 1, seq 4050,
length 40
00:16:18.876005 9c:7b:ef:b7:7a:a1 > ff:ff:ff:ff:ff:ff, ethertype
802.1Q (0x8100), length 78: vlan 50, p 0, ethertype IPv4 (0x0800),
10.215.111.210 > 10.215.144.129: ICMP echo request, id 1, seq 4050,
length 40
00:16:18.876104 94:40:c9:26:e2:d2 > b8:59:9f:cc:bb:5c, ethertype
802.1Q (0x8100), length 78: vlan 18, p 0, ethertype IPv4 (0x0800),
10.215.144.129 > 10.215.111.210: ICMP echo reply, id 1, seq 4050,
length 40
00:16:18.876115 b8:59:9f:cc:bb:5c > 9c:7b:ef:b7:7a:a1, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4 (0x0800),
10.215.144.129 > 10.215.111.210: ICMP echo reply, id 1, seq 4050,
length 40
00:16:18.876133 b8:59:9f:cc:bb:5c > ff:ff:ff:ff:ff:ff, ethertype
802.1Q (0x8100), length 78: vlan 50, p 0, ethertype IPv4 (0x0800),
10.215.144.129 > 10.215.111.210: ICMP echo reply, id 1, seq 4050,
length 40

# ip neigh list | grep 10.215.144.129
10.215.144.129 dev lan.18 lladdr 94:40:c9:26:e2:d2 REACHABLE

Any ideas as to why I'm seeing this?

Why is interface "ext" receiving the ICMP replies in the first case?


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Cannot ping between two hosts

Reply via email to