Routing outbound IP packets on multihomed box
    Julian Elischer 
    julian at elischer.org
       
    Sat Jun 16 00:35:36 UTC 2007
    
    
  
Christopher Cowart wrote:
> On Fri, Jun 15, 2007 at 06:30:23PM -0400, Boris Kochergin wrote:
>> Christopher Cowart wrote:
>>> I have a server with two NICs:
>>>
>>> em0:        169.229.79.139/25
>>> vlan526:    169.229.126.9/24
>>>
>>> The default gateway is 169.229.79.129. The router for the 126 subnet is
>>> 169.229.126.1. 
>>>
>>> netstat -rn:
>>> | Destination        Gateway            Flags    Refs      Use  Netif 
>>> Expire
>>> | default            169.229.79.129     UGS         0   102537    em0
>>> | 127.0.0.1          127.0.0.1          UH          0      217    lo0
>>> | 169.229.79.128/25  link#1             UC          0        0    em0
>>> | 169.229.79.129     00:15:c7:b9:f4:80  UHLW        2        4    em0   
>>> 1193
>>> | 169.229.79.139     00:11:25:ab:42:70  UHLW        1      589    lo0
>>> | 169.229.126/24     link#9             UC          0        0 vlan52
>>> | 169.229.126.1      00:15:c7:b9:f4:80  UHLW        1       34 vlan52   
>>> 1200
>>> | 169.229.126.9      00:18:f8:09:d3:a5  UHLW        1        8    lo0
>>>
>>> The IP address on em0 works exactly as one would expect. I have full IP
>>> connectivity to it from other subnets. 
>>>
>>> The problem is I can't get 2-way connectivity with the IP address on
>>> vlan526.
>>>
>>> Using my workstation on a third subnet (169.229.127.38/24), I cannot
>>> ping 169.229.126.9. I leave the ping running and do some tcpdumps on 
>>> the server.
>>>
>>> $ sudo tcpdump -ni vlan526 host 169.229.127.38
>>> | 14:14:37.002920 IP 169.229.127.38 > 169.229.126.9: ICMP echo 
>>> | request, id 15733, seq 35, length 64
>>> | 14:14:38.003037 IP 169.229.127.38 > 169.229.126.9: ICMP echo 
>>> | request, id 15733, seq 36, length 64
>>>
>>> Notice there are no echo replies. That's because they're being sent 
>>> here:
>>>
>>> $ sudo tcpdump -ni em0 host 169.229.127.38
>>> | 14:15:42.006997 IP 169.229.126.9 > 169.229.127.38: ICMP echo reply, 
>>> | id 15733, seq 100, length 64
>>> | 14:15:43.007118 IP 169.229.126.9 > 169.229.127.38: ICMP echo reply, 
>>> | id 15733, seq 101, length 64
>>>
>>> I repeated this last snoop with a -w and loaded it into ethereal. The
>>> echo replies being sent out on em0 indeed have a source address of
>>> 169.229.126.9. The router (169.229.79.139) drops these packets on the
>>> floor, because their source address isn't routable on that interface.
>>>
>>> Because routing is based on destination, not source address, I'm not
>>> sure how to get packets sourced from the 126 subnet to the router on the
>>> 126 subnet. I tried the following ipfw rule right after allow loopback
>>> traffic (my second rule):
>>>
>>> fwd 169.229.126.1 ip from 169.229.126.9 to not 169.229.126.0/24
>>>
>>> Still no luck. Has anyone set up a multihomed box on *different* subnets
>>> before without routing them through the FreeBSD box? Does anyone have
>>> any pointers or things I should be looking at?
>> Hi. I've come across this problem but solved it with a PF rule of this 
>> form, if that's an option for you:
>>
>> pass out route-to (vlan256 169.229.126.1) from 169.229.126.9 to any
>>
>> This tells PF to send all packets sent from 169.229.126.9 through the 
>> vlan256 interface with a next-hop address of 169.229.126.1.
> 
> Unfortunately, I don't think we can use pf. The rest of our
> infrastructure is ipfw and we don't particularly want this to be a
> one-off. I was under the impression that my ipfw rule did exactly this,
> by sending the packets to the 126 router as their next hop.
> 
> Anyone have any ideas on whether an ipfw fwd rule can be used in a
> similar way to this pf rule?
> 
> Thanks again,
> 
he ipfw rule should work, assuming you have the IPFIREWALL_FORWARDING option
(and it's not the couple of versions of the OS where you also needed the
IPFIREWALL_FORWARD_EXTENDED option as well..
also, you need to make it an 'out' rule..i.e. 
 fwd 169.229.126.1 ip from 169.229.126.9 to not 169.229.126.0/24 out
    
    
More information about the freebsd-net
mailing list