Yep, you're right. You just need to look at your NIC (Network Interface Card) configuration. Make sure your Shorewall device has an IP for both "Networks".
# sudo pico /etc/network/interfaces ... on DEBIAN to edit your network config Then do ... # sudo route -n ... To check your routing tables # sudo /etc/init.d/networking stop ... to stop networking # sudo /etc/init.d/networking start ... to Restart your Network ... or REBOOT If your hardware is "far away" and you can't physically "touch it" then restarting networking or rebooting will KICK you The key secret sauce is to check to make sure you are forwarding traffic like this ... == ENABLE FORWARDING == # sudo vim /etc/sysctl.conf # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # sysctl -p ... RESTART THE SERVICE, or REBOOT! Bottom line ... you need a device on your network that has IPs in every local network (your BRIDGE) You also need a device that takes any traffic it doesn't know about and forwards it to the Internet (your ROUTER) Your Shorewall device CAN perform BOTH functions. Having said all of this, the honest truth is ... I don't use Shorewall. I looked at Shorewall, joined this list, found it complicated and decided ... if I have to learn something, why not just do it "Old School?" So I created a Firewall with iptables. It works perfect. My next goal is to create a firewall with *BPF* (*Berkeley Packet Filter)* *BPF should be WAAAAAY faster!* Bill On Mon, Jan 24, 2022 at 5:39 PM Vieri Di Paola <vieridipa...@gmail.com> wrote: > Thanks, Bill. > > As shown in the dump, my Shorewall system is a router. > I think the problem may lie in routing rules/netmasks/ARP. > I have other hosts in the same vlans as in my first example that > perfectly reply to ICMP. > For instance, host in vlan 1 with IP addr. 10.215.111.210 can > successfully ping (request & reply) a host in vlan 18 with IP addr. > 10.215.144.129. > Same dst IP addr. range, same dst vlan, etc., but in my first post, > the ICMP replies were reaching the SW FW but not the SRC host in vlan > 1. > Very odd. > > I'm trying to search for the difference between the DST host with IP > addr. 10.215.144.129 and the one with IP addr. 10.215.144.251. > > Thanks, > > Vieri > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
