Inter-VLAN routing on CURRENT: any known issues?

O. Hartmann ohartmann at walstatt.org
Fri Jul 14 16:32:58 UTC 2017


Am Fri, 14 Jul 2017 15:00:30 +0300
"Andrey V. Elsukov" <bu7cher at yandex.ru> schrieb:

> On 14.07.2017 14:42, O. Hartmann wrote:
> > I use in-kernel NAT. IPFW is performing NAT. In firewall type "OPEN" from the
> > vanilla rc.conf, IPFW has instance "nat 123" which provides then NAT.  
> 
> I never used default config types for firewall, so, it would be nice to
> see what rules do you have.

Me neither except on some hosts with very little complications in their setups or simple
clients.

> 
> # ipfw show

The OPEN firewall rules, which show the very same behaviour as I stated before:

root at gate:~ # ipfw list
00050 nat 123 ip4 from any to any via tun0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any

> # ipfw nat show config

root at gate:~ # ipfw nat show config
ipfw nat 123 config if tun0 log

or

ipfw nat 1 config if tun0 log same_ports reset redirect_port tcp 192.168.0.111:9734 9734
redirect_port tcp 192.168.0.111:5432 5432 redirect_port udp 192.168.2.1:2427 2427
redirect_port udp 192.168.2.1:4569 4569 redirect_port udp 192.168.2.1:5060 5060
redirect_port tcp 192.168.2.1:5060 5060 redirect_port tcp 192.168.0.111:443 443
redirect_port tcp 192.168.0.111:80 80 redirect_port tcp 192.168.0.111:22 22

> 
> >> VLANs work on the layer2  
> > According to 1):
> > 
> > I consider the settings of the switch now as correct. I have no access to the
> > router right now. But I did short experiments yesterday evening and it is
> > weird: loged in on thr router, I can ping every host on any VLAN, so ICMP
> > travel from the router the right way to its destination and back.
> > 
> > From any host on any VLAN that is "trunked" through the router, I can ping any
> > other host on any other VLAN, preferrably not on the same VLAN. By cutting off
> > the trunk line to the router, pinging stops immediately.
> > 
> > From any host on any VLAN I can ping any host which is NATed on the outside
> > world.
> > 
> > From the router itself, I can ssh into any host on any VLAN providing ssh
> > service. That said, according to question 3), NAT is considered to be setup
> > correctly.
> > 
> > Now the strange things: Neither UDP, nor TCP services "flow" from hosts on one
> > VLAN to hosts on a different VLAN. Even ssh doens't work. 
> > When loged in onto the router, I can't "traceroute" any host on any VLAN.  
> 
> This is most likely due to the problem with firewall rules.
> If you set net.inet.ip.firewall.enable=0, does it solve the problem with
> TCP/UDP between hosts on a different VLANs?

net.inet.ip.firewall.enable does not exist, I suppose it is net.inet.ip.fw.enable.

Not, it doesn't change anything, last rule in my list is deny all, as you can see above
(in-kernel).

> 
> > According to question 2), the ability to ping from, say, a host on VLAN 1000 to
> > another host on VLAN 2 passing through the router would indicate that both
> > sides know their routes to each other. Or am I wrong?  
> 
> Yes.
> 
> > I got words from Sean bruno that there might be a problem with the Intel i210
> > chipset in recent CURRENT - and the hardware on the PCEngine APU 2C4 is three
> > i210. I'm aware of the problem since r320134 (the oldest CURRENT I started
> > experimenting with the VLAN trunking).  
> 
> It is very strange problems, why ICMP works, but TCP/UDP does not? :)
> You can try to disable any type of offloading for the card, there were
> some problems in the past with checksum offlading, that may lead to the
> problems with TCP, but this usually should be noticeable in the tcpdump
> output.
> 

I tried that, but somehow I do not have any check:

ifconfig_igb1="up"
#ifconfig_igb1="inet6 ::1 prefixlen 64 mtu 6121"
create_args_igb1="-tso -lro -rxcsum -txcsum -rxcsum6 -txcsum6 -vlanhwtso -vlanhwcsum
-vlanhwfilter -vlanhwtag"


and ifconfig igb1:

igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6525bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>



Kind regards,

Oliver
-- 
O. Hartmann

Ich widerspreche der Nutzung oder Übermittlung meiner Daten für
Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4 BDSG).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170714/8d11f818/attachment.sig>


More information about the freebsd-questions mailing list