我有以下网络设置https://i.ibb.co/wwPLH2H/Network.png
防火墙B(firewallsm)后面来自10.0.64.0/27的所有流量都通过防火墙A(firewallwm)的LAN接口到达192.168.28.0/27网络,同样的流量也以同样的方式到达互联网,如下:
10.0.64.42(虚拟机)> 防火墙 B(LAN)> 防火墙 A(LAN)> 防火墙 A(WAN)> 笔记本电脑的无线网卡> Wifi 路由器
奇怪的是,防火墙 B (firewallsm) 可以 ping 通 Google DNS,但虚拟机 10.0.64.42 不知为何无法 ping 通 Google DNS。我已将所有协议、端口设置为允许在防火墙 B (firewallsm) 上到达防火墙 A (firewallwm)。
防火墙A (firewallwm)
网关 -https://i.ibb.co/bRC8P8G/Firewall-A-GW.png
LAN 接口规则 -https://i.ibb.co/XWSnLRd/Firewall-A-1-dell-Rule.png
WAN 接口规则 -https://i.ibb.co/zZwcnjJ/Firewall-A-2-WAN-Rule.png
FirewallA(firewallsm)日志显示 10.0.64.42 流量被允许通过其 WAN
日志 -https://i.ibb.co/9cqPSW7/Firewall-A-Packet-log.png
日志 -https://i.ibb.co/kVTX31B/Firewall-A-Packet-log-2.png
防火墙B (防火墙sm)
网关 -https://i.ibb.co/pPQC1p8/Firewall-B-GW.png
LAN 规则 -https://i.ibb.co/VY9vFVL/Firewall-B-1-dell-Rule.png
防火墙 B LAN 上的 10.0.64.42 VM 的 tcpdump(em0)
root@firewallsm:~ # tcpdump -i vmx0 host 10.0.64.42 and host 8.8.8.8 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:17:09.324409 IP 10.0.64.42 > dns.google: ICMP echo request, id 1, seq 1, length 40
06:17:13.853917 IP 10.0.64.42 > dns.google: ICMP echo request, id 1, seq 2, length 40
06:17:18.858484 IP 10.0.64.42 > dns.google: ICMP echo request, id 1, seq 3, length 40
防火墙 A LAN (em0) 上 10.0.64.42 VM 的 tcpdump
root@firewallwm:~ # tcpdump -i em0 host 8.8.8.8 and icmp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:17:09.335331 IP 10.0.64.42 > 8.8.8.8: ICMP echo request, id 1, seq 1, length 40
06:17:13.865408 IP 10.0.64.42 > 8.8.8.8: ICMP echo request, id 1, seq 2, length 40
06:17:23.870819 IP 10.0.64.42 > 8.8.8.8: ICMP echo request, id 1, seq 4, length 40
防火墙 A WAN 上 10.0.64.42 VM 的 tcpdump(em1)
root@firewallwm:~ # tcpdump -i em1 host 8.8.8.8 and icmp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
从防火墙 B 执行 ping 操作,成功 ping Google DNS
root@firewallsm:~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=127 time=13.196 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=127 time=12.625 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=127 time=12.609 ms
^C
--- 8.8.8.8 ping statistics ---
16 packets transmitted, 16 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 11.705/13.026/15.910/1.111 ms
防火墙A LAN (em0) 的 tcpdump
root@firewallwm:~ # tcpdump -i em0 host 8.8.8.8 and icmp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:22:21.816908 IP 192.168.10.7 > 8.8.8.8: ICMP echo request, id 23594, seq 0, length 64
06:22:21.827095 IP 8.8.8.8 > 192.168.10.7: ICMP echo reply, id 23594, seq 0, length 64
06:22:22.876598 IP 192.168.10.7 > 8.8.8.8: ICMP echo request, id 23594, seq 1, length 64
06:22:22.886317 IP 8.8.8.8 > 192.168.10.7: ICMP echo reply, id 23594, seq 1, length 64
06:22:23.948947 IP 192.168.10.7 > 8.8.8.8: ICMP echo request, id 23594, seq 2, length 64
06:22:23.957978 IP 8.8.8.8 > 192.168.10.7: ICMP echo reply, id 23594, seq 2, length 64
防火墙 A WAN 的 tcpdump (em1)
root@firewallwm:~ # tcpdump -i em1 host 8.8.8.8 and icmp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
06:22:21.817029 IP 192.168.47.132 > 8.8.8.8: ICMP echo request, id 24689, seq 0, length 64
06:22:21.826993 IP 8.8.8.8 > 192.168.47.132: ICMP echo reply, id 24689, seq 0, length 64
06:22:22.876700 IP 192.168.47.132 > 8.8.8.8: ICMP echo request, id 24689, seq 1, length 64
06:22:22.886219 IP 8.8.8.8 > 192.168.47.132: ICMP echo reply, id 24689, seq 1, length 64
06:22:23.949057 IP 192.168.47.132 > 8.8.8.8: ICMP echo request, id 24689, seq 2, length 64
06:22:23.957845 IP 8.8.8.8 > 192.168.47.132: ICMP echo reply, id 24689, seq 2, length 64