From: Payam Chychi <pchychi@gmail.com>
To: "Rob Sterenborg (lists)" <lists@sterenborg.info>
Cc: netfilter@vger.kernel.org
Subject: Re: Replacing firewall issues
Date: Tue, 10 Jan 2012 00:25:41 -0800 [thread overview]
Message-ID: <4F0BF605.4020404@gmail.com> (raw)
In-Reply-To: <1326180504.2680.14.camel@ns014530.dcyb.net>
On 12-01-09 11:28 PM, Rob Sterenborg (lists) wrote:
> Hi,
>
> I'm having trouble replacing an old server (CentOS 5) for a new one
> (CentOS 6). The layout is basically like this:
>
> +------+ +-----+ +----------+ DMZ |---
> | INET |---| RTR |---| Firewall |---------|
> +------+ +-----+ +----------+ |---
> .
> .(etc)
> |---
>
>
> When I'm testing the firewall with an unused public and private IP
> address and a server in the DMZ, I can successfully NAT packets
> from/to it. So, IMO there should be no issues.
>
> However, when we shutdown the switch ports from the old firewall, put
> the current public and private IP addresses from the old firewall on the
> new one and have arp caches of neighbors cleared, then forwarding breaks
> in some way.
>
> What I'm seeing is that:
> - When a new connection is setup to a webserver in the DMZ, packets
> arrive at the internet NIC, but don't get forwarded to the webserver in
> the DMZ.
> - When I'm trying to, say, ping a host on the internet, I see the
> packets arrive at the DMZ NIC, forwarded to the internet host, the reply
> packets arrives at the internet NIC, and doesn't get forwarded back to
> the DMZ host.
> - I get ping replies when I ping from the new firewall to the server(s)
> in the DMZ. (That is: I get replies, and I'm supposing it from the
> servers I ping..)
>
> Then we've put this setup in separate VLAN's so we could mimic the
> situation in a test environment. Everything we tested worked just fine
> in there right away, so it's impossible to troubleshoot.
>
> This makes me believe there's something about the setup in production
> that creates this behavior. I unfortunately forgot to clone the MAC
> addresses from the current server to the new one: could it still be
> something with the MAC addressess, although AFAIK we cleared all arp
> caches that should be?
>
> Any input of what can be wrong is welcome.
> Thanks in advance!
>
>
> --
> Rob
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Hey,
you mentioned clearing arp after the changes however did you verify
that no stale arp entries remain? also, what did your mac address table
/ cam table show?
it sounds much like layer 2 mac/arp buildup issue
-Payam
next prev parent reply other threads:[~2012-01-10 8:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-10 7:28 Replacing firewall issues Rob Sterenborg (lists)
2012-01-10 8:25 ` Payam Chychi [this message]
2012-01-10 8:55 ` Rob Sterenborg (lists)
2012-01-14 2:20 ` Rob Sterenborg (lists)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F0BF605.4020404@gmail.com \
--to=pchychi@gmail.com \
--cc=lists@sterenborg.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.