This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

7.501 Strange Packet Filter behaviour

Hi Astaro,

i have a strange packet filter behaviour, maybe you can help me.

I'm trying to use my directly connected LDAP-server (ssl, port 636) for user-authentication in Astaro, but astaro always filters the packets.

ASG: 192.168.1.1
LDAP: 192:168.1.2

Rule #1:
Source:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24

Destination:
192.168.1.2/32
etc.

Service:
ICMP, 443, 53(tcp/udp), 636 etc.

Logfile:

19:52:20 Default DROP TCP 192.168.1.1 : 42467 → 192.168.1.2 : 636 [SYN] len=60 ttl=64 tos=0x00 srcmac=00:30:18:aa:aa:aa dstmac=00:00:00:00:00:00

19:52:22 Default DROP TCP 192.168.1.1 : 42467 → 192.168.1.2 : 636 [SYN] len=60 ttl=64 tos=0x00 srcmac=00:30:18:aa:aa:aa dstmac=00:00:00:00:00:00

With a dedicated rule with the firewall-interface 192.168.1.1 as source it is working, but not with 192.168.1.0/24. WHY?

This thread was automatically locked due to age.

Parents

0 BAlfson over 15 years ago

Geholfen? Ich habe da ja gar nix jemacht! [;)]

Have you allowed ping and traceroute to transit the firewall ('ICMP' tab in 'Network Security >> Packet Filter')?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Suppentrulli over 15 years ago in reply to BAlfson

yes, your hint was very helpful.
The service i tried to use seems to make a ICMP-ping before...
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Suppentrulli over 15 years ago in reply to BAlfson

yes, your hint was very helpful.
The service i tried to use seems to make a ICMP-ping before...
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Suppentrulli over 15 years ago in reply to Suppentrulli

Ok guys, i have to reactivate my post. Again i have some problems with inter-site communication starting from an ASG.

My configuration:

ASG1 (local site):
eth0: 172.16.0.1 (172.16.0.0/24)
eth1: 172.16.1.1 (172.16.1.0/24)
eth2: 172.16.2.1 (172.16.2.0/24)
eth3: internet via PPPoE

ASG2 (remote site):
eth0: 172.17.0.1 (172.17.0.0/24)
eth1: 172.17.1.1 (172.17.1.0/24)
eth2: 172.17.2.1 (172.17.2.0/24)
eth3: internet via PPPoE

Both sites are connected with IPSec-tunnels including all subnets.

From time to time it is not possible to reach remote destinations from a local ASG, clients on the local site do work.

Example:
172.16.0.10 => 172.17.1.10 works
172.16.0.1 => 172.17.1.10 does not work

The reason is, that SOMETIMES packets leaving ASG1 going across the VPN with the source-address of my PPPoE-interface, i.e. 217.83.***.***, and for that reason routing on the remote site does not work.

If the source is a local nic, i.e. eth1, connections do work.

My questions:
- which adapter does ASG choose as source-address or is it chosen randomly?
- is there a solution for my problem?
Cancel
Vote Up 0 Vote Down

Cancel