I'm back for some help. Thanks in advance for clearing up my confusion.
My setup for this thread is:
DotQSwitch as the bridge
DotQSwitch.5, .10, .15....
Rules in place:
DotQSwitch.5 "allow fwd to dest zones" .10,.15,.20,.25
DotQSwitch.20 "allow fwd to dest zones" WAN
When a device in DotQswitch.5 initiates a TCP connect to a device in .20 I Thought
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"`
Which, is the default in all chains (FWD, IN, OUT), would track that and allow the return traffic.
What actually happens is the traffic is dropped (for TCP the SYN ACK is blocked and for UDP I get ICMP port unreachable)
Of course if I make a traffic rule allowing from .20 to .5 for these sets of ports and protocols traffic is allowed so it isn't a "networking" issue per se'.
What am I missing? BTW fw logging returns:
reject DotQSwitch.20 forward:
and this is the foward chain:
chain forward {
type filter hook forward priority filter; policy drop;
meta l4proto { tcp, udp } flow offload @ft;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
Thoughts?