On 05/22/2018 12:56 PM, David Ventura wrote: > On the router, loc zone > > 21:46:27.394780 IP 192.168.20.138.49088 > 192.168.2.10.8006: Flags [S], > seq 2206450343, win 29200, options [mss 1460,sackOK,TS val 1423015768 > ecr 0,nop,wscale 7], length 0 > 21:46:27.394929 IP 192.168.20.138.49088 > 192.168.2.10.8006: Flags [S], > seq 2206450343, win 29200, options [mss 1460,sackOK,TS val 1423015768 > ecr 0,nop,wscale 7], length 0 > 21:46:29.697862 IP 192.168.20.138.49234 > 192.168.2.10.8006: Flags [S], > seq 3866520451, win 29200, options [mss 1460,sackOK,TS val 1423018071 > ecr 0,nop,wscale 7], length 0 > 21:46:29.698053 IP 192.168.20.138.49234 > 192.168.2.10.8006: Flags [S], > seq 3866520451, win 29200, options [mss 1460,sackOK,TS val 1423018071 > ecr 0,nop,wscale 7], length 0 > 21:46:30.722578 IP 192.168.20.138.49234 > 192.168.2.10.8006: Flags [S], > seq 3866520451, win 29200, options [mss 1460,sackOK,TS val 1423019096 > ecr 0,nop,wscale 7], length 0 > 21:46:30.722643 IP 192.168.20.138.49234 > 192.168.2.10.8006: Flags [S], > seq 3866520451, win 29200, options [mss 1460,sackOK,TS val 1423019096 > ecr 0,nop,wscale 7], length 0 > > On the server I am seeing the packets now, but the connection is not > working anyway: > > > 21:50:15.746671 IP 192.168.20.138.50266 > 192.168.2.10.8006: Flags [S], > seq 1416285729, win 29200, options [mss 1460,sackOK,TS val 1423244122 > ecr 0,nop,wscale 7], length 0 > 21:50:15.746942 IP 192.168.20.138.50266 > 192.168.2.10.8006: Flags [S], > seq 1416285729, win 29200, options [mss 1460,sackOK,TS val 1423244122 > ecr 0,nop,wscale 7], length 0 > > I added these two rules on top of my `rules` file > ACCEPT loc:192.168.2.10 all all > ACCEPT srv:192.168.2.138 all all > > Which also made no difference. > > I **think** that what is happening is that I get the packet from > 192.168.20.X to 192.168.2.10 (server) and it tries to reply via > 192.168.20.10 (server).. my routes are: > > root@bigserver:~# ip route > default via 192.168.2.1 dev vmbr0 onlink > 192.168.2.0/24 <http://192.168.2.0/24> dev vmbr0 proto kernel scope link > src 192.168.2.10 > 192.168.10.0/24 <http://192.168.10.0/24> dev vmbr10 proto kernel scope > link src 192.168.10.10 > 192.168.20.0/24 <http://192.168.20.0/24> dev vmbr20 proto kernel scope > link src 192.168.20.10 > 192.168.30.0/24 <http://192.168.30.0/24> dev vmbr30 proto kernel scope > link src 192.168.30.10 > 192.168.40.0/24 <http://192.168.40.0/24> dev vmbr40 proto kernel scope > link src 192.168.40.10 > 192.168.50.0/24 <http://192.168.50.0/24> dev vmbr50 proto kernel scope > link src 192.168.50.10 > > Sorry for being a pest but I am really curious as to why this is happening.. >
All except the default and next route are wrong and unnecessary. The server thinks that 192.168.20.138 is on its local subnet, so it is undoubtedly sending ARP 'who-has' requests for that address. Those requests are not being responded to. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
