Bump. There should be a check box to have nethserver add the arp_filter option. It would make testing much easier and also use nethserver as a firewall behind another router, withouth having to separate the networks (which is not always possible). The logical separation is enough.
Even cheap switches (39 euros) support Vlan OOTB. 20 minutes for setting and testing should solve the issue.
IMVHO due to high risk to create unpredictable (and really wrong) configurations, this kind of option might not be even considered interesting.
You need additional hardware and do additional cabling
It is not possible in some configurations. I have customers where I cannot change the switching infrastructure but still want to have nethserver as an outgoing filtering proxy and router in a VM. This VM has to have red and green interfaces in the same physical network (because it cannot be changed).
Also if you use a simple hardware or virtual nethserver behind another internet router to forward ports to some internal services with the extra protection of IPS and firewall, it is often not possible change the physial cabling to have everything behind nethserver.
I use this patch at several sites for months now without any problems.
I hope that the dev team will consider this user case interesting enough to implement what you’re asking for.
In any case, in VM environment maybe you can just arrange a little different cable and host setup to avoid the use of arp_filter.
I don’t like hidden configuration options, because you start to compare things in different installation by the UI and are searching forever for a difference. It should definitely be in the UI.
The checkbox should be called “Enable ARP filter” and the description “Enable on interfaces connected to the same switch to prevent firewall malfunctions (not recommended, but useful for special configurations and testing). See https://shorewall.org/troubleshoot.htm”.
ARP Filter: It is strongly recommended to have each Nethserver interface on a separate switch so they cannot see each other. Given the way the Linux kernel responds to ARP “who-has” requests, having several interfaces on the same switch does not work by default. I you really need this type of configuration for testing or special cases where network cabling cannot be changed, you have to check this option for every interface being on the same switch as another interface of Nethserver. This option sets the “arp_filter=1” option for the interface. See also https://shorewall.org/troubleshoot.htm for more information.
Just too add an alternative even simpler implementation:
Instead of an option for each interface, it could be considered to have a global option, which adds arp_filter=1 to all interfaces. Maybe this is even simpler, as in most cases they are not that many interfaces, that you need to configure some with arp_filter=1 and some without (the extra option does no harm). My template also adds arp_filter=1 too all interfaces, so it is less likely to forget one.
I agree with @pike that the best approach is to physically separate networks.
We discussed the feature internally and we also interviewed other people outside from this forum, but we didn’t receive any positive feedback on this feature request.
As you can see, even no other user here has a similar usage scenario.
In the end, we are not going to implement it. Still, we are open to contributions
My final suggestion is to use a template-custom:
Create the dir: mkdir -p /etc/e-smith/templates/etc/shorewall/interfaces/
Copy the original fragment: cp /etc/e-smith/templates/etc/shorewall/interfaces/20nics /etc/e-smith/templates-custom/etc/shorewall/interfaces/
Change /etc/e-smith/templates-custom/etc/shorewall/interfaces/20nics accordingly to your need
Apply the configuration: signal-event firewall-adjust
Your modification will survive to updates and will be even saved inside the backup