Multiple default routes / Force external routing

Peter Cornelius pcc at gmx.net
Tue Apr 14 12:05:58 PDT 2009 

Re...

Thanks for the numerous responses, first time I feel like home :)

> >>> I have set up a box with various vlan interfaces on it. I naively
> >>> expected to be able to set individual "default" routes and route
> >>> between them via an *external* router (and filter packets there etc.)
> >>> but somehow all packets seem to "short-circuit" locally, and I don't
> >>> seem to be able to see why this is so and how I prevent that.
> > 
> > I think you are rather confused about what Multiple FIBs is..
> > All it is is teh  ability to make a packet use a particular
> > FIB on it's outgoing path. There is not such thing as an interface
> > being "In" a FIB. All interfaces are still visible to the routing code
> > by default, and The IP stack still knows about them.I think the IP
> > stack set's the 'loopback' flag on a packet regardless of the FIB
> > selected if teh dest is one of its own addresses.

Yup, that is roughly what I expected to hear from what I observed. Took a while to get there mentally though, sorry...

> > What you want is VIMAGE.

I haven't fiddled with that (yet) since it seems to be somewhat separate from the src trunk (isn't it?) and I hoped to remain mainstream. At first glance, it seems attractive ...

> To me, it sounds like he wants to turn the FBSD box into a VLAN
> aggregator, and then "trunk" the VLANs to an external router to route
> between the VLAN subnets.
> 
> If this is the case, then the default route that points to the
> 'external' router would need to be applied on the devices within each
> VLAN subnet, not on the VLAN aggregator device(s) themselves.
> 
> Do I understand what you are trying to do correctly?

The idea was to set up a server which behaves as if it was a set of servers with different tasks offering different services with different access rights etc. Think of it as a farm of physical servers some of which are virtualised on a single box, typical virtualisation task, I think.

The key point I want to achieve is a good separation of the networks and control packet interchange via a physically separate device (which also is a FreeBSD box btw). The Ethernet trunk goes into a switch and from there on to the router. So yes, that's the setup currently. But I may mention that the vlans extend to other holes on the switch, and I definitely want to avoid packets sneaking past the router if at all possible.

To cut a long story short, I this would expect vimage to be a solution at my server end, provided that (I can get it built and) I can tie several jail instances to a given vlan interface (representing several servers) and be sure that the packets are only seen there (and not on other vlan ifs). I'll give it a closer look than I did so far asap, so thanks.

All the best,

Peter.
-- 
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a

More information about the freebsd-net mailing list