I have linux server (CentOS release 3.7) with installed CP UTM 1 (Firewall,VPN) and Snort (version 2.8.5.rc (Build 86)). The server has four physical interfaces, three physical interfaces are configured on one VLAN, on the fourth interface are configured multiple VLANs (Trunk).
When writing a snort plugin for sending RESET – packages into multiple VLANs on the one physical interface, I found a problem. When I connect from my workstation (which is connect to physical interface with multiple VLANs) to servers (which is connect to physical interface with one VLAN or multiple VLANs), tcpdump, and therefore snort, doesn’t see any packages from workstation to destination server, but see reverse packages from destination server to workstation. Plus reverse packages don’t contain information about VLAN ID (see upload.wikimedia.org/wikipedia/commons/2/23/TCPIP_802.1Q.jpg). Snort is running on physical interface with TRUNK.
What could be the problem? Maybe I need to configure driver for NIC or problem exists because CP Firewall is running on this server?