Inter-VLAN routing on CURRENT: any known issues?

Andrey V. Elsukov bu7cher at
Thu Jul 13 13:15:15 UTC 2017

On 12.07.2017 22:43, O. Hartmann wrote:
> Now the FUN PART:
> From any host in any VLAN I'm able to ping hosts on the wild internet via their IP, on
> VLAN 1000 there is a DNS running, so I'm also able to resolv names like or
> But I can NOT(!) access any host via http/www or ssh. 

You have not specified where is the NAT configured and its settings is

VLANs work on the layer2, they do not used for IP routing. Each received
packet loses its layer2 header before it gets taken by IP stack. If an
IP packet should be routed, the IP stack determines outgoing interface
and new ethernet header with VLAN header from this interface is prepended.

What I would do in your place:
1. Check the correctness of the switch settings.
  - on the router use tcpdump on each vlan interface and
    also directly on igb1. Use -e argument to see ethernet header.
    Try ping router's IP address from each vlan, you should see tagged
    packet on igb1 and untagged on corresponding vlan interface.

2. Check the correctness of the routing settings for each used node.
  - to be able establish connection from one vlan to another, both nodes
    must have a route to each other.

3. Check the NAT settings.
  - to be able to connect to the Internet from your addresses, you must
    use NAT. If you don't have NAT, but it somehow works, this means
    that some device does the translation for you, but it's
    configuration does not meet to your requirements. And probably you
    need to translate prefixes configured for your vlans independently.

WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list