如何排查透明模式下防火墙收到数据包不转发
问题
如下图所示,防火墙port2接到数据包后,并没有转发数据包。
如果防火墙策略和异步路由都没有的问题的话,那么只存在一种可能就是MAC转发表出现了问题。
解决步骤
-
获取没有转发的数据包的目标MAC。因为是port2收到了数据包,所以我们抓包的时候指定port2。注意的是,不能使用any接口。如果用any接口的话,目标MAC是00000000。
所抓取的数据包前六个字节是目标MAC地址,如上图所示。后六个字节是源MAC地址。
只有目标MAC地址在转发表中的时候,并且对应的接口正确,数据包才能转发。
-
查看转发表。每个Vdom有一个转发表。如果防火墙整个是一个透明模式的话,那么查看root的转发表,命令如下
HNSY-ZGW-A # dump netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=256, used=184, num=328, depth=6
Bridge root.b host table
port no device devname mac addr ttl attributes
2 11 port2 56:b5:5a:60:51:86 281
2 11 port2 08:e8:4f:fe:2f:e6 8
2 11 port2 8a:a0:19:35:db:c8 6
2 11 port2 38:91:d5:f7:f8:e8 256
2 11 port2 38:91:d5:f7:fe:e8 256
2 11 port2 38:97:d6:ba:2b:65 140
2 11 port2 c6:55:ae:c4:f7:6d 9
2 11 port2 90:e2:ba:90:b0:35 0
2 11 port2 3a:f3:7a:c5:8d:e4 2
2 11 port2 6c:92:bf:24:9a:10 84
2 11 port2 6c:92:bf:2a:b1:04 35
2 11 port2 a4:14:37:99:22:9e 0
2 11 port2 08:e8:4f:fe:2f:e8 48
2 11 port2 d2:16:d1:41:55:49 208
2 11 port2 0e:84:35:a2:ef:0a 187
2 11 port2 6c:92:bf:2a:ae:04 82
2 11 port2 38:91:d5:fc:d3:f9 4
2 11 port2 6c:92:bf:0f:8d:b6 192
2 11 port2 d4:61:fe:0b:b2:28 15
2 11 port2 00:e0:ed:48:0f:80 22
2 11 port2 38:97:d6:ba:39:65 256
2 11 port2 bc:ad:28:1e:44:91 8
2 11 port2 00:00:5e:00:01:64 0
2 11 port2 f8:75:88:30:c2:e6 11
2 11 port2 82:7e:bd:7e:41:a1 1
2 11 port2 0c:c4:7a:85:9c:cf 10
2 11 port2 86:74:34:3e:f3:d5 122
2 11 port2 00:e0:ed:33:20:74 88
2 11 port2 6c:92:bf:6e:8c:06 0
2 11 port2 3c:8c:40:9f:da:8d 2
2 11 port2 58:6a:b1:5d:66:d2 1
2 11 port2 00:e0:ed:2b:be:8d 26
2 11 port2 a4:14:37:e3:ee:90 170
2 11 port2 00:0a:e4:1f:7b:12 4
2 11 port2 00:e0:ed:2b:be:8c 57
2 11 port2 a4:14:37:e3:ee:91 6
2 11 port2 00:25:90:5a:76:26 202
1 10 port1 00:60:e0:6d:64:7e 0 Local Static
2 11 port2 a4:14:37:99:22:b8 5
2 11 port2 6c:92:bf:6e:8d:0e 0
2 11 port2 00:60:e0:6d:64:7f 0 Local Static
2 11 port2 38:97:d6:ea:2b:0d 256
2 11 port2 6c:92:bf:6e:8c:08 3
2 11 port2 7c:c3:85:87:68:b4 0
2 11 port2 00:e0:ed:48:8e:26 73
2 11 port2 a4:14:37:e3:ee:86 74
2 11 port2 3c:8c:40:9f:c8:8d 256
2 11 port2 a4:14:37:e3:ee:87 148
2 11 port2 00:e0:ed:48:8e:27 30
2 11 port2 f6:86:0b:07:6d:68 34
2 11 port2 a4:14:37:e3:ee:84 145
2 11 port2 a4:14:37:e3:ee:85 28
2 11 port2 a4:14:37:e3:ee:82 212
2 11 port2 38:97:d6:ea:32:0d 256
2 11 port2 00:e0:ed:51:13:da 30
2 11 port2 a4:14:37:e3:ee:83 49
2 11 port2 6c:92:bf:6e:8d:10 12
2 11 port2 6c:92:bf:24:8d:3a 81
2 11 port2 a4:14:37:e3:ee:80 11
2 11 port2 00:26:b9:4a:f2:68 255
2 11 port2 a4:14:37:e3:ee:81 42
2 11 port2 a4:14:37:e3:ee:8e 72
2 11 port2 00:25:90:ea:99:1b 32
2 11 port2 a4:14:37:e3:ee:8f 35
2 11 port2 a4:14:37:e3:ee:8c 173
2 11 port2 3c:8c:40:02:a2:9a 5
2 11 port2 a4:14:37:e3:ee:8d 63
2 11 port2 a4:14:37:e3:ee:8a 7
2 11 port2 fc:15:b4:11:53:66 0
2 11 port2 08:35:71:f3:93:77 7
2 11 port2 a4:14:37:e3:ee:8b 131
2 11 port2 4a:d5:9c:15:37:d6 0
2 11 port2 a4:14:37:e3:ee:88 136
2 11 port2 a4:14:37:e3:ee:89 79
2 11 port2 3c:ef:8c:12:42:3a 89
2 11 port2 00:25:90:5e:81:a8 130
2 11 port2 4e:24:29:da:b6:9d 75
2 11 port2 02:b2:f2:24:bd:a8 31
2 11 port2 72:4d:b1:5d:79:7f 136
2 11 port2 94:e1:ac:ea:f6:ff 37
2 11 port2 38:91:d5:fc:8e:f9 256
2 11 port2 38:91:d5:ef:2e:15 256
2 11 port2 50:da:00:5a:be:35 24
2 11 port2 6c:92:bf:06:f7:b4 0
2 11 port2 9a:53:5d:58:67:a4 6
2 11 port2 a4:14:37:56:41:84 125
2 11 port2 38:97:d6:ea:4b:0d 256
2 11 port2 38:91:d5:ef:2b:15 256
2 11 port2 6c:92:bf:06:f7:b2 5
2 11 port2 08:94:ef:19:42:1f 172
2 11 port2 f6:bd:07:ca:88:5b 5
2 11 port2 a4:14:37:99:22:c2 50
2 11 port2 6c:92:bf:21:19:de 126
2 11 port2 6c:92:bf:18:22:00 285
2 11 port2 bc:ad:28:1e:44:de 5
2 11 port2 3c:8c:40:08:d9:a0 0
2 11 port2 00:e0:ed:42:06:e0 4
2 11 port2 00:25:90:5a:95:ba 58
2 11 port2 6c:92:bf:2a:b1:5e 58
2 11 port2 00:e0:ed:42:06:e1 4
2 11 port2 c8:1f:66:dd:23:e7 4
2 11 port2 6c:92:bf:2a:b1:5f 91
2 11 port2 6c:92:bf:2a:9b:7a 180
2 11 port2 6c:92:bf:2d:73:8e 0
2 11 port2 38:91:d5:f8:1f:68 256
2 11 port2 a4:14:37:99:22:ca 7
2 11 port2 38:91:d5:fc:9d:f9 256
2 11 port2 00:60:e0:6d:62:0f 273
2 11 port2 7e:55:86:90:c5:72 283
2 11 port2 a4:14:37:56:41:92 154
2 11 port2 38:91:d5:fc:99:f9 256
2 11 port2 6c:92:bf:6e:8d:44 2
2 11 port2 00:e0:ed:47:8e:48 2
2 11 port2 c4:00:ad:15:e0:2c 21
2 11 port2 bc:ad:28:1e:44:ef 5
2 11 port2 6c:92:bf:6e:8d:42 0
2 11 port2 38:97:d6:a4:de:84 227
2 11 port2 00:26:b9:62:85:e2 14
2 11 port2 bc:ad:28:1f:5c:fb 99
2 11 port2 6c:92:bf:2d:75:ba 67
2 11 port2 c8:d3:a3:fd:2b:88 195
2 11 port2 6c:92:bf:24:9b:76 105
2 11 port2 bc:ad:28:1f:5c:fc 79
2 11 port2 e6:be:48:89:3a:d5 0
2 11 port2 bc:ad:28:1f:5c:fe 15
2 11 port2 00:ff:fa:bc:f7:60 9
2 11 port2 38:d5:47:c9:bf:2f 125
2 11 port2 3e:69:02:b2:c7:05 18
2 11 port2 22:03:94:55:1a:7a 120
2 11 port2 00:0f:e2:07:f2:e0 13
2 11 port2 9c:b6:54:8f:6b:d0 57
2 11 port2 00:04:f2:94:9b:34 10
2 11 port2 f6:23:dc:55:44:49 0
2 11 port2 38:97:d6:a4:d4:91 0
2 11 port2 6c:92:bf:2d:73:a0 113
2 11 port2 6c:92:bf:2d:75:a6 102
2 11 port2 bc:ad:28:1e:44:fa 8
2 11 port2 1e:0e:8f:8f:e3:95 62
2 11 port2 90:e2:ba:90:b1:49 0
2 11 port2 6c:92:bf:2a:97:56 7
2 11 port2 d6:1a:50:2e:5a:17 19
2 11 port2 38:97:d6:be:20:04 2
2 11 port2 3c:8c:40:b0:e2:aa 256
2 11 port2 6c:92:bf:24:9a:9a 86
2 11 port2 6c:92:bf:2a:b2:8a 11
2 11 port2 fa:16:3e:e9:95:86 257
2 11 port2 00:00:0c:07:ac:02 0
2 11 port2 0a:59:a9:91:ab:fd 112
2 11 port2 00:09:0f:09:03:0e 144
2 11 port2 58:6a:b1:4b:20:6e 221
10 3 m1/2 00:60:e0:6d:81:37 0 Local Static
2 11 port2 fc:15:b4:11:a3:2c 16
9 2 m1/1 00:60:e0:6d:81:36 0 Local Static
2 11 port2 a6:32:6c:91:35:03 9
2 11 port2 a4:14:37:99:23:1a 22
12 5 m1/4 00:60:e0:6d:81:39 0 Local Static
2 11 port2 a4:14:37:56:41:46 148
11 4 m1/3 00:60:e0:6d:81:38 0 Local Static
2 11 port2 1e:47:ea:3e:05:49 5
2 11 port2 38:91:d5:ee:e9:15 256
14 7 m1/6 00:60:e0:6d:81:3b 0 Local Static
2 11 port2 38:91:d5:f8:4d:e8 256
2 11 port2 bc:ad:28:1f:5d:1b 70
13 6 m1/5 00:60:e0:6d:81:3a 0 Local Static
16 9 m1/8 00:60:e0:6d:81:3d 0 Local Static
15 8 m1/7 00:60:e0:6d:81:3c 0 Local Static
2 11 port2 38:91:d5:f7:f4:68 256
2 11 port2 38:97:d6:ea:17:8d 256
2 11 port2 64:ae:0c:c7:32:21 0
2 11 port2 6c:92:bf:18:23:c2 11
2 11 port2 6c:92:bf:25:5c:48 60
2 11 port2 5c:dd:70:d6:44:52 39
2 11 port2 6e:9a:04:d4:39:a0 7
2 11 port2 6c:92:bf:18:23:c4 20
2 11 port2 94:e1:ac:b7:1f:b3 8
2 11 port2 78:ac:c0:f9:de:ee 227
2 11 port2 bc:ad:28:1e:45:15 8
2 11 port2 00:e0:ed:43:85:ab 189
2 11 port2 6c:92:bf:25:5c:42 80
2 11 port2 32:24:e6:8f:1c:43 1
2 11 port2 00:e0:ed:43:85:aa 3
2 11 port2 00:0c:29:4e:78:b8 60
2 11 port2 08:35:71:f3:c6:81 133
2 11 port2 d4:61:fe:0b:b3:a0 223
2 11 port2 4c:cc:6a:a8:f2:6e 5
2 11 port2 5c:dd:70:d6:70:52 18
2 11 port2 94:e1:ac:8a:b0:de 20
2 11 port2 78:ac:c0:f9:e6:ea 141
2 11 port2 38:91:d5:fc:e1:79 5
2 11 port2 f2:9a:ca:e9:72:d1 121
2 11 port2 4c:cc:6a:aa:d5:74 0
2 11 port2 38:97:d6:a4:e5:7d 1
2 11 port2 bc:ad:28:1f:5d:3d 59
2 11 port2 00:25:90:5a:94:43 34
2 11 port2 6c:92:bf:18:21:fe 2
2 11 port2 92:ce:f7:cd:99:1b 4
2 11 port2 6c:92:bf:2d:70:7a 63
1 10 port1 00:00:5e:00:01:c8 0
2 11 port2 92:a1:d0:35:f7:e2 0
2 11 port2 1e:c5:6f:10:00:f1 144
2 11 port2 00:1d:70:92:54:bf 23
2 11 port2 64:ae:0c:c7:21:11 1
2 11 port2 6c:92:bf:2a:b1:bc 94
2 11 port2 3c:8c:40:9f:cc:0d 256
2 11 port2 6c:92:bf:2a:b1:bd 71
2 11 port2 bc:ad:28:1f:5d:26 6
2 11 port2 6c:92:bf:2a:b2:bd 74
2 11 port2 00:30:8c:04:28:be 167
2 11 port2 6c:92:bf:2a:b2:bc 86
2 11 port2 bc:ad:28:1f:5d:29 6
2 11 port2 6a:3e:e9:b4:cc:46 62
2 11 port2 6c:92:bf:06:8c:3e 137
2 11 port2 bc:ad:28:1e:45:37 41
2 11 port2 3a:82:68:07:24:ac 62
2 11 port2 12:d5:22:fe:e7:57 170
2 11 port2 c4:54:44:ea:24:28 69
2 11 port2 08:35:71:f3:c7:a1 0
2 11 port2 94:e1:ac:ad:53:bf 115
2 11 port2 00:25:90:5a:6b:ad 59
2 11 port2 a4:14:37:e3:ee:76 155
2 11 port2 16:69:aa:d2:9d:4a 2
2 11 port2 a4:14:37:e3:ee:77 38
1 10 port1 70:f9:6d:19:5e:d6 0
2 11 port2 aa:39:3a:6b:a7:19 40
2 11 port2 a4:14:37:e3:ee:74 244
2 11 port2 a4:14:37:e3:ee:75 158
2 11 port2 94:e1:ac:d3:3b:52 43
2 11 port2 a4:14:37:e3:ee:72 49
2 11 port2 6c:92:bf:2a:b1:cc 60
2 11 port2 38:97:d6:a4:d9:2f 1
2 11 port2 b6:e1:d6:d8:aa:22 65
2 11 port2 a4:14:37:e3:ee:73 88
2 11 port2 38:97:d6:a4:d7:22 227
2 11 port2 a4:14:37:e3:ee:70 169
2 11 port2 a4:14:37:e3:ee:71 140
2 11 port2 a4:14:37:e3:ee:7e 78
2 11 port2 a4:14:37:e3:ee:7f 29
2 11 port2 e6:1b:5a:6b:f7:26 30
2 11 port2 bc:ad:28:1f:5d:5a 8
2 11 port2 a4:14:37:e3:ee:7c 41
2 11 port2 6c:92:bf:2a:ad:de 34
2 11 port2 5e:35:9c:6f:28:9a 171
2 11 port2 a4:14:37:e3:ee:7d 4
2 11 port2 52:03:77:62:1e:93 121
2 11 port2 a4:14:37:e3:ee:7a 36
2 11 port2 6c:92:bf:2a:b1:c4 14
2 11 port2 a4:14:37:e3:ee:7b 5
2 11 port2 00:10:f3:3d:77:80 0
2 11 port2 a4:14:37:e3:ee:78 23
2 11 port2 a4:14:37:e3:ee:79 133
2 11 port2 6c:92:bf:2a:b2:c4 85
2 11 port2 38:91:d5:f8:16:e8 255
2 11 port2 2a:5d:66:56:74:13 0
2 11 port2 a4:14:37:e3:ee:66 141
7 16 port7 00:60:e0:6d:64:84 0 Local Static
2 11 port2 a4:14:37:e3:ee:67 12
2 11 port2 02:76:23:2d:89:27 19
8 17 port8 00:60:e0:6d:64:85 0 Local Static
2 11 port2 a4:14:37:e3:ee:64 93
2 11 port2 94:e1:ac:d3:3b:42 11
2 11 port2 a4:14:37:e3:ee:65 159
2 11 port2 bc:ad:28:1f:5d:44 67
2 11 port2 a4:14:37:e3:ee:62 158
2 11 port2 6c:92:bf:2a:b1:dc 39
3 12 port3 00:60:e0:6d:64:80 0 Local Static
2 11 port2 6c:92:bf:2d:6a:1a 181
2 11 port2 a4:14:37:e3:ee:63 131
4 13 port4 00:60:e0:6d:64:81 0 Local Static
2 11 port2 a4:14:37:e3:ee:60 75
5 14 port5 00:60:e0:6d:64:82 0 Local Static
2 11 port2 a4:14:37:e3:ee:61 4
2 11 port2 f8:0f:41:fd:f3:a9 0
6 15 port6 00:60:e0:6d:64:83 0 Local Static
2 11 port2 a4:14:37:e3:ee:6e 29
2 11 port2 a4:14:37:e3:ee:6f 32
2 11 port2 00:23:ea:23:8c:40 6
2 11 port2 a4:14:37:e3:ee:6c 50
2 11 port2 38:91:d5:fc:d4:30 15
2 11 port2 6c:92:bf:2d:75:0a 7
2 11 port2 00:10:f3:3d:76:96 0
17 18 m2/1 00:60:e0:6d:90:7a 0 Local Static
2 11 port2 a4:14:37:e3:ee:6d 277
2 11 port2 6c:92:bf:25:14:4a 8
18 19 m2/2 00:60:e0:6d:90:7b 0 Local Static
2 11 port2 a4:14:37:e3:ee:6a 161
19 20 m2/3 00:60:e0:6d:90:7c 0 Local Static
2 11 port2 5c:dd:70:d6:44:1b 3
20 21 m2/4 00:60:e0:6d:90:7d 0 Local Static
2 11 port2 a4:14:37:e3:ee:68 2
2 11 port2 a4:14:37:e3:ee:69 159
2 11 port2 6c:92:bf:2d:67:22 8
2 11 port2 6c:92:bf:2a:b1:ea 83
2 11 port2 bc:ad:28:1e:44:6e 8
2 11 port2 6c:92:bf:2a:9b:c7 21
2 11 port2 58:6a:b1:cf:38:05 256
2 11 port2 bc:ad:28:1e:44:65 8
2 11 port2 a4:14:37:e3:ee:5e 98
2 11 port2 00:25:90:5a:76:e7 3
2 11 port2 a4:14:37:e3:ee:5f 100
2 11 port2 5c:dd:70:d6:70:1b 4
2 11 port2 38:91:d5:fc:ad:79 256
2 11 port2 a4:14:37:e3:ee:5c 23
2 11 port2 a4:14:37:e3:ee:5d 146
2 11 port2 66:e8:d8:e0:24:c0 1
2 11 port2 a4:14:37:e3:ee:5a 5
2 11 port2 a4:14:37:e3:ee:5b 135
2 11 port2 86:40:7c:7d:33:b5 226
2 11 port2 bc:ad:28:1e:44:63 4
2 11 port2 a4:14:37:e3:ee:58 134
2 11 port2 00:e0:ed:48:0f:78 22
2 11 port2 96:5f:87:da:11:17 29
2 11 port2 a4:14:37:e3:ee:59 44
2 11 port2 62:27:dc:64:99:df 137
2 11 port2 1a:4d:a0:a8:79:df 21
2 11 port2 a2:52:ec:a8:2d:c6 176
2 11 port2 a4:14:37:94:5d:2d 4
2 11 port2 00:24:c3:cd:0d:81 2
2 11 port2 58:6a:b1:4b:de:ee 256
2 11 port2 38:97:d6:b9:db:65 256
2 11 port2 02:a3:5f:c3:ac:3e 17
2 11 port2 38:97:d6:a4:e0:28 227
2 11 port2 6c:92:bf:9d:54:ce 0
2 11 port2 70:f9:6d:19:5e:ea 0
2 11 port2 00:0b:ab:36:66:5d 77
2 11 port2 6c:92:bf:9d:54:cc 56
2 11 port2 00:25:90:5e:80:16 144
2 11 port2 38:97:d6:bc:a8:04 2
转发表有的很大,我们在这里搜索目标MAC,6c:92:bf:2a:9b:c7, 发现它居然在port2
2 11 port2 6c:92:bf:2a:9b:c7 21
这显然是不对的,如果要防火墙正常转发,目标MAC应该是在Port1上。
-
什么问题会触发转发表不正常呢
首先转发表是如何生成的,在防火墙上联和下联的网络中,只要有数据包发送,防火墙就会截取它的源MAC,生成转发表。
如果目标MAC在转发表中不存在,只有一个可能,就是最近几分钟内,该目标MAC地址没有发过数据包。路由器和负载均衡的虚拟IP往往会出现这个问题,它分为虚拟MAC和真实MAC。它发送数据包时,用的源MAC是真实MAC,但是接收数据包时用虚拟MAC。
在这种情况下,我们手工把缺失的MAC地址绑在转发表上。
def sys mac-table
edit xx:xx:xx:xx:xx:xx
set interface port1
end
不过上面的问题并不是这个原因的导致的,需要调查研究为啥目标MAC会在port2上,而不是port1。