OK, I'm seeing a very odd behavior here, but at least I can now easily reproduce the issue.
I have a test host with IP address 192.168.215.200 pinging continously the Shorewall FW at 192.168.215.1. At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5 on the FW is connected to Switch Port VLAN 11 tagged + 12 tagged + 1 tagged). It gets the ICMP replies just fine, as expected according to my Shorewall rules. I've captured dumps and traces while this was happening (I can see traffic on VLAN 11, nothing on VLAN 12 which is OK): SW DUMP: https://drive.google.com/open?id=1_wLPvrowWGE4CPFYMQSzqxz0_FvZXm4q SW TRACE: https://drive.google.com/open?id=1AXzSDhBTN62veUPYjzVxgddPEBdY1Amy I then disconnected the test host's ethernet cable from the Switch and plugged it into another port on the same Switch but with VLAN ID 12 Untagged. The test host keeps pinging FW at 192.168.215.1 successfully when it SHOULDN'T because of my Shorewall rules and policies. A tcpdump on the enp8s5_12 interface shows VLAN 12 traffic and ICMP requests/replies. A tcpdump on the enp8s5_11 interface shows that there's no more VLAN 11 traffic. I grabbed a SW dump, SW trace and a tcpdump: TCPDUMP on enp8s5_12: https://drive.google.com/open?id=1JVSOMNsXmPA1gKaVhYguZr0VmKzwSOER TCPDUMP on enp8s5: https://drive.google.com/open?id=1pxyuMP6lynquB_BEks56HzjPqeWg-J6U SW DUMP: https://drive.google.com/open?id=1donyBraZpwKSyNG4w75LGkfPvlwgf3B9 SW TRACE: https://drive.google.com/open?id=1eFYjF9HPi144uzl2Y_oDZxtMCDq4fSog The test host is a Windows 10 laptop. Disconnecting its ethernet cable and putting it back in did not change anything. However, I noticed that if I put the laptop in sleep mode and woke it up again after AT LEAST 30 seconds, traffic behavior would finally be "as expected", ie. the test host would fail pinging the FW. I grabbed tcpdumps during this last phase: TCPDUMP on enp8s5_12: https://drive.google.com/open?id=1N7nFuCIDrEnTMjmL-licXQdWNl1-zVpi TCPDUMP on enp8s5: https://drive.google.com/open?id=1nv3VRelC6WicJauQTXqAWffb-HV5l5DL If I compare the SW traces, I don't see anything strange at first glance. Before moving the network cable, traffic was filtered through dmz11-fw. Afterwards, it was filtered through dmz12-fw. So it "sounds" right. Any thoughts? Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
