On 02/23/2018 06:42 AM, Vieri Di Paola via Shorewall-users wrote: > Hi, > > > In my LAN I have two networks on the same physical infrastructure (no VLAN): > 10.215.0.0/16 and 192.168.200.0/24 > > The LAN interface on Shorewall firewall/gateway has proxy_arp enabled for > some cases, but it seems to be initerfering with ARP requests. This is what I > see on the Shorewall box when two hosts in 192.168.200.0 try to ping each > other: > > 12:16:54.954199 ARP, Request who-has 192.168.200.21 (30:85:a9:8e:b9:a0) tell > 192.168.200.249, length 46 > 12:16:54.954219 ARP, Reply 192.168.200.21 is-at 30:85:a9:8e:b9:a0, length 28 > > > The problem is that 30:85:a9:8e:b9:a0 is Shorewall's LAN interface MAC, not > the MAC of the host at 192.168.200.21. > > I tried to add static ARP entries for the LAN interface on the Shorewall > system (arp -i ... -s ...), but the "is-at" replies were still the same. > > Removing proxy_arp on Shorewall's LAN interface solves the issue but opens > others. > > What can I try? > > Can I avoid replying ARP requests for 192.168.200.0/24 only? >
Yes -- add a DROP entry in /etc/shorewall/arprules. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
