firewall implementation and traffic forwarding

[p4pe]

Hello everyone, I'm trying to implement a firewall in click and I m facing an issue.
Here is a schema:

And my click configuration

//Inputs and outputs
in::FromDevice(ens4, PROMISC true)
out::ToDevice(ens5)
//c::Counter;
//Classifier

cw::Classifier(
   12/0800, //IP packets
   -       // Other
);

// IP Filtering
f::IPFilter(
 0 src host 192.168.110.0 && ip proto 1 or ip proto 17,
 1 all);
cw[0]->CheckIPHeader(14)->f;
cw[1]->Print("The packet was dropped")->Discard
in->cw;
f[0]->IPPrint("pass")->Queue->out;
f[1]->Print("Discard")->Queue->Discard;

What I want to achieve is when I ping the address 192.168.110.119, then "firewall-vnf" should route the traffic to 192.168.109.23 (i.e. VM3)

I capture the traffic using tcpdump on the output interface (ens5) but as I expected the traffic is not traversing to 192.168.109.23

What else should add to the click configuration file in order to achieve this forwarding?
Or can I do this with iptables rules on the ens5 interface;

Thank you in advance

[ahenning]

Its probably worth looking at the Layer2 headers. The way I read the config the packets are going to leave ens5 with the same L2 headers as received on ens4, so even if the packet is forced onto the VM3 interface, VM3 will receive the packet with a destination mac that it probably does not own.

[p4pe]

Thank you for your answer @ahenning.
So your suggestion is to change the MAC address before the packet exits the ens5?

[pallas]

If these are layer 2 interfaces you likely need an arp querier/responder.

[p4pe]

@pallas no, we assume that these are L3 interfaces.