[SOLVED] Zentyal 3.0.28- firewall drops certain connections btw internal network

[TropiRed]

The problem was solved - the proper layers were not visible to the Zentyal firewall since not all radios had WDS activated and thus did not forward the correct MAC. As simple as that.

I leave the Q as is, if someone else run in to this ERR40 situation (ERR40= Caused by the fool sitting 40cm's from the monitor)

I have an interface eth0 for network A and a virtual interface eth0(B) for network B.

Firewall has Allow ANY for internal networks for A and B.
Firewall has Allow for ports needed for both A and B.

Access between networks are fine when using http on non standard port 84 or https to 444.
But when log data wants to pass over UDP 10001 or http data over TCP 9080, it drops the connections.

I have tried with allowing ANY for A and B to Zentyal, but no change.

Edit: I did try port forwarding, just in case. No change.

Everything else works like a charm, saving a lot of work!

Ideas?

[christian]

What makes you think this is a firewall related issue?
Have you try to enable log and check if such connection is visible within list of dropped connection?

[TropiRed]

What makes you think this is a firewall related issue?
Have you try to enable log and check if such connection is visible within list of dropped connection?

This:

Oct 30 11:14:46 jmbgw kernel: [514160.659574] zentyal-firewall drop IN=eth0 OUT=eth0 MAC=[removed] SRC=10.30.20.10 DST=10.200.200.2 LEN=172 TOS=0x00 PREC=0x00 TTL=62 ID=57030 DF PROTO=TCP SPT=49520 DPT=444 WINDOW=115 RES=0x00 ACK PSH URGP=0

Interestingly, connection to any other IP in the object containing the 10.200.200.2, will work just fine. It is only this one.
I have removed MAC from the object too, just in case something happened there, I removed it all together from the object, saved and re-added it.

The same goes for connecting from any other IP in the network, it blocks access to this address. There are two more addresses acting like this, for no apparent reason. I do not have them added to any other rules different to other IPs within the object, why I can not see why Zentyal chose to single out these IPs as unaccessible.

I deactivated IDS too.

Still no-go.

BUT--- Access from the outer world, WAN, via port-forward, will work without a problem to any of the IPs in question.

Very interesting little issue this.