Inter-VLAN routing on CURRENT: any known issues?

O. Hartmann ohartmann at walstatt.org
Sun Jul 16 21:05:29 UTC 2017


Am Fri, 14 Jul 2017 15:00:30 +0300
"Andrey V. Elsukov" <bu7cher at yandex.ru> schrieb:

> On 14.07.2017 14:42, O. Hartmann wrote:
> > I use in-kernel NAT. IPFW is performing NAT. In firewall type "OPEN" from the
> > vanilla rc.conf, IPFW has instance "nat 123" which provides then NAT.  
> 
> I never used default config types for firewall, so, it would be nice to
> see what rules do you have.
> 
> # ipfw show
> # ipfw nat show config
> 
> >> VLANs work on the layer2  
> > According to 1):
> > 
> > I consider the settings of the switch now as correct. I have no access to the
> > router right now. But I did short experiments yesterday evening and it is
> > weird: loged in on thr router, I can ping every host on any VLAN, so ICMP
> > travel from the router the right way to its destination and back.
> > 
> > From any host on any VLAN that is "trunked" through the router, I can ping any
> > other host on any other VLAN, preferrably not on the same VLAN. By cutting off
> > the trunk line to the router, pinging stops immediately.
> > 
> > From any host on any VLAN I can ping any host which is NATed on the outside
> > world.
> > 
> > From the router itself, I can ssh into any host on any VLAN providing ssh
> > service. That said, according to question 3), NAT is considered to be setup
> > correctly.
> > 
> > Now the strange things: Neither UDP, nor TCP services "flow" from hosts on one
> > VLAN to hosts on a different VLAN. Even ssh doens't work. 
> > When loged in onto the router, I can't "traceroute" any host on any VLAN.  
> 
> This is most likely due to the problem with firewall rules.
> If you set net.inet.ip.firewall.enable=0, does it solve the problem with
> TCP/UDP between hosts on a different VLANs?
> 
> > According to question 2), the ability to ping from, say, a host on VLAN 1000 to
> > another host on VLAN 2 passing through the router would indicate that both
> > sides know their routes to each other. Or am I wrong?  
> 
> Yes.
> 
> > I got words from Sean bruno that there might be a problem with the Intel i210
> > chipset in recent CURRENT - and the hardware on the PCEngine APU 2C4 is three
> > i210. I'm aware of the problem since r320134 (the oldest CURRENT I started
> > experimenting with the VLAN trunking).  
> 
> It is very strange problems, why ICMP works, but TCP/UDP does not? :)
> You can try to disable any type of offloading for the card, there were
> some problems in the past with checksum offlading, that may lead to the
> problems with TCP, but this usually should be noticeable in the tcpdump
> output.
> 

I have not have any success on this and I must ask now, to not make a fool out of my
self, whether the concept of having several vlan over one single NIC is possible with
FreeBSD (12-CURRENT, as of today, r321055.

Since it is even not possible to "route" from a non-tagged igb1 to a tagged vlan igb1.2
or igb1.66 (for instance) on the same NIC, I have a faint suspect that I'm doing
something terribly wrong.

I think everyone working with vlan should have those problems, but since I can not find
anything on the list, I must do something wrong - my simple conclusion.

What is it?

-- 
O. Hartmann

Ich widerspreche der Nutzung oder Übermittlung meiner Daten für
Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4 BDSG).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170716/acb5cd28/attachment.sig>


More information about the freebsd-questions mailing list