[Shorewall-users] migrating to a vlan-bridged LAN interface

[Vieri Di Paola]

Hi,

My current setup as shown below has a vlan-bridged dmz interface, and
it *seems* to be working fine although I am getting occasional ping
packet loss (<5 every 10-15 minutes).
However, this might be a switch issue.

The interfaces file from my current config (configuration 1) is:

lan    $IF_LAN        routeback,arp_filter=1,proxyarp=1
wan    $IF_WAN        routeback,arp_filter=1,proxyarp=1
caib    $IF_CAIB    arp_filter=1
ibs    $IF_IBS        arp_filter=1
dmz    dmzbr        bridge,dhcp,proxyarp=1
dmz0    dmzbr:${IF_DMZ}        routeback
dmz1    dmzbr:${IF_DMZ}.1        routeback
dmz11    dmzbr:${IF_DMZ}.11    routeback
lanx    lanbr            bridge,dhcp,proxyarp=1
dmz12    lanbr:${IF_DMZ}.12    routeback
lan0    lanbr:enp8s5        routeback
lan1    lanbr:enp8s5.1        routeback
lan12    lanbr:enp8s5.12        routeback
lan13    lanbr:enp8s5.13        routeback
lan14    lanbr:enp8s5.14        routeback
lan15    lanbr:enp8s5.15        routeback
-    lo        -

Shorewall dump for Configuration 1:

https://drive.google.com/open?id=1kSwMG98Ej2FiKsVtAYo9gzerA5sueuVG

In this setup I used the lanx bridge interface to perform some lab
tests before disrupting the main traffic which goes through the lan
interface.
The tests seemed to be OK.

Today I tried to configure vlans on my LAN interface so this is my new
interfaces file (configuration 2):

lan    ${IF_LAN_BR}        bridge,dhcp,arp_filter=1,proxyarp=1
lan0    ${IF_LAN_BR}:${IF_LAN}        routeback
lan1    ${IF_LAN_BR}:${IF_LAN}.1        routeback
lan12    ${IF_LAN_BR}:${IF_LAN}.12        routeback
lan13    ${IF_LAN_BR}:${IF_LAN}.13        routeback
lan14    ${IF_LAN_BR}:${IF_LAN}.14        routeback
lan15    ${IF_LAN_BR}:${IF_LAN}.15        routeback
wan    $IF_WAN        routeback,arp_filter=1,proxyarp=1
caib    $IF_CAIB    arp_filter=1
ibs    $IF_IBS        arp_filter=1
dmz    ${IF_DMZ_BR}        bridge,dhcp,proxyarp=1
dmz0    ${IF_DMZ_BR}:${IF_DMZ}        routeback
dmz1    ${IF_DMZ_BR}:${IF_DMZ}.1        routeback
dmz11    ${IF_DMZ_BR}:${IF_DMZ}.11    routeback
dmz12    ${IF_LAN_BR}:${IF_DMZ}.12    routeback
dmz13    ${IF_DMZ_BR}:${IF_DMZ}.13    routeback
-    lo        -

Shorewall dump for Configuration 2:

https://drive.google.com/open?id=1Zm72KKq5BGax04jNLdqubdSE7Y7GlzR1

At first everything seemed to work fine, but after a couple of minutes
the network went bonkers. Ping tests from $FW to lan hosts or vice
versa would fail and work randomly. A typical ping test would yield 5
or 10 echo replies OK then 5 or 10 losses, and so on (50% packet loss
as a general rule of thumb).
During the dump there was a "failing" ping test between $FW and lan
host at 10.215.144.48.

So I had to fall back to Configuration 1, and now I'm unsure what to
try with Configuration 2 before getting into trouble again...

Is there anything "blatantly wrong" with my second configuration?
What can I try or test?
Would a tcpdump or a shorewall [ip]trace be useful?

Vieri


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users