[SOLVED] Strange behavior after enable/disable firewall at datacenter level

[dduck]

Hello,

I have been facing strange behavior since I activated and then deactivated the firewall at the datacenter level.

When i start configure my server the firewall was disable on datacenter and on every machine i create i have a nic with Firewall=1 so i have fw* interface on server side for every vm i create

Everything work. vm can ping the bridge.

i enable the firewall at datacenter and node level but nothing at vm level. Juste after that i disable the firewall at datacenter and node level but my vm wasn't able to ping anymore the respective bridge they are attache.

The solution was to disable the Firewall option on the nic hardware

When i check what change between Firewall=1 or Firewall=0 the only thing that i can see is that i have new interface fw* on the server.

I know the fw* is for the firewall but what i don't understand it is that they already been present since the beggening. They only start to block traffic after i enable/disable firewall at datacenter level.

What is more strange for me is that the vm with Firewall=1 can answer ping from vm with Firewall=0 or from the server himself but cannot start a ping.
And if i initiate a ping when Firewall=0 and i change to Firewall=1 the ping continue, connection is not drop but if i stop and iniaite ping again the ping

With Firewall=1 i see this on server :

16:50:29.641887 tap103i0 P IP 192.168.10.3 > 192.168.10.2: ICMP echo request, id 24611, seq 1, length 64
16:50:29.641924 fwln103i0 Out IP SERVER > 192.168.10.2: ICMP echo request, id 24611, seq 1, length 64
16:50:29.641926 fwpr103p0 P IP SERVER > 192.168.10.2: ICMP echo request, id 24611, seq 1, length 64
16:50:29.641942 tap102i0 Out IP SERVER > 192.168.10.2: ICMP echo request, id 61620, seq 1, length 64
16:50:29.642231 tap102i0 P IP 192.168.10.2 > SERVER: ICMP echo reply, id 61620, seq 1, length 64
16:50:29.642231 vmbr10 In IP 192.168.10.2 > SERVER: ICMP echo reply, id 61620, seq 1, length 64

Edit :
even stranger that doesn't seem to affect a another bridge
17:44:34.606479 tap2001i0 P IP 192.168.200.1 > 192.168.200.254: ICMP echo request, id 63816, seq 1, length 64
17:44:34.606507 fwln2001i0 Out IP 192.168.200.1 > 192.168.200.254: ICMP echo request, id 63816, seq 1, length 64
17:44:34.606509 fwpr2001p0 P IP 192.168.200.1 > 192.168.200.254: ICMP echo request, id 63816, seq 1, length 64
17:44:34.606509 vmbr200 In IP 192.168.200.1 > 192.168.200.254: ICMP echo request, id 63816, seq 1, length 64
17:44:34.606547 vmbr200 Out IP 192.168.200.254 > 192.168.200.1: ICMP echo reply, id 63816, seq 1, length 64
17:44:34.606550 fwpr2001p0 Out IP 192.168.200.254 > 192.168.200.1: ICMP echo reply, id 63816, seq 1, length 64
17:44:34.606551 fwln2001i0 P IP 192.168.200.254 > 192.168.200.1: ICMP echo reply, id 63816, seq 1, length 64
17:44:34.606559 tap2001i0 Out IP 192.168.200.254 > 192.168.200.1: ICMP echo reply, id 63816, seq 1, length 64

But i don't understand why i see the ip of SERVER when i ping from 192.168.10.3 => 192.168.10.254 ...

Edit last :
After a reboot all seem to work normally again. No more SERVER ip when i ping from 192.168.10.3 to 192.168.10.254
I don't know what to think.

 

[Spoonman2002]

"I don't know what to think."

- let it go. Put on your coat, leave the house, go for a walk, enjoy the world around you

 

[dduck]

Ahahah that was barely what i have done when i see the reboot solve the problem. I don't like to do things like that but hey some time if that work ..