linux

How to solve the problem with access between two local subnets (Shorewall)?

Good afternoon!
Interested in the following question. There is a configured server on Debian 7.8, two physical interfaces - one looks to the provider (eth0), the other to the local network (eth1). On eth1, addresses are distributed via DHCP (subnet 10.0.0.0/8) and masquerading (NAT) is configured on them. Additionally, the virtual interface eth1:1 with static addressing, without DHCP (subnet 192.168.0.0/16) has been raised. From this subnet, access is via Squid3, but that's not the point. On the eth1:1 network, there is a shared resource with a static ip, to which you need to give access to clients from the eth1 network (10.0.0.0/8).
The whole thing is resolved with the help of Shorewall.
I bring configs.
/etc/shorewall/interfaces
#ZONE INTERFACE OPTIONS
net eth0 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
- eth1 dhcp,tcpflags,nosmurfs,routefilter,logmartians
/etc/shorewall/zones
#ZONE TYPE OPTIONS
fw firewall
net ipv4
loc ipv4
loc2 ipv4
/etc/shorewall/hosts
#ZONE HOSTS OPTIONS
loc eth1:10.0.0.0/8
loc2 eth1:192.168.0.0/16
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL
net fw DROP err
net all DROP
loc net ACCEPT
loc2 net DROP
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT err
/etc/shorewall/rules
#... I omitted some of the rules, because not relevant
#ACTION SOURCE DEST PROTO DEST SOURCE
# Allow Ping n SMB between loc and loc2 (test)
Ping(ACCEPT) loc loc2
Ping(ACCEPT) loc2 loc
SMB(ACCEPT) loc loc2:192.168.100.5
/etc/shorewall /masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0
10.0.0.0/8 resources over SMB, although there are explicit rules for this in /etc/shorewall/rules.
I used the official manual, there is an example of how a similar issue is solved (Example 6) - shorewall.net/Shorewall_and_Aliased_Interfaces.html
Tell me, where could be the error? If you need additional logs or configs, then I will give it without problems.