Date: Thu, 13 Jul 2017 16:12:06 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "O. Hartmann" <ohartmann@walstatt.org>, FreeBSD CURRENT <freebsd-current@freebsd.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Inter-VLAN routing on CURRENT: any known issues? Message-ID: <c9679df1-e809-3d2b-9432-88664aae3b0a@yandex.ru> In-Reply-To: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--CueFjnWV1aGbTRKWeDcjoHWXWPmehqWKG
Content-Type: multipart/mixed; boundary="Qo7f7gLTuFsLwUxFqH9iXR71pR9Qb4nOo";
protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: "O. Hartmann" <ohartmann@walstatt.org>,
FreeBSD CURRENT <freebsd-current@freebsd.org>,
FreeBSD Questions <freebsd-questions@freebsd.org>
Message-ID: <c9679df1-e809-3d2b-9432-88664aae3b0a@yandex.ru>
Subject: Re: Inter-VLAN routing on CURRENT: any known issues?
References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de>
In-Reply-To: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de>
--Qo7f7gLTuFsLwUxFqH9iXR71pR9Qb4nOo
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 12.07.2017 22:43, O. Hartmann wrote:
> Now the FUN PART:
>=20
> From any host in any VLAN I'm able to ping hosts on the wild internet v=
ia their IP, on
> VLAN 1000 there is a DNS running, so I'm also able to resolv names like=
google.com or
> FreeBSD.org. But I can NOT(!) access any host via http/www or ssh.=20
You have not specified where is the NAT configured and its settings is
matters.
VLANs work on the layer2, they do not used for IP routing. Each received
packet loses its layer2 header before it gets taken by IP stack. If an
IP packet should be routed, the IP stack determines outgoing interface
and new ethernet header with VLAN header from this interface is prepended=
=2E
What I would do in your place:
1. Check the correctness of the switch settings.
- on the router use tcpdump on each vlan interface and
also directly on igb1. Use -e argument to see ethernet header.
Try ping router's IP address from each vlan, you should see tagged
packet on igb1 and untagged on corresponding vlan interface.
2. Check the correctness of the routing settings for each used node.
- to be able establish connection from one vlan to another, both nodes
must have a route to each other.
3. Check the NAT settings.
- to be able to connect to the Internet from your addresses, you must
use NAT. If you don't have NAT, but it somehow works, this means
that some device does the translation for you, but it's
configuration does not meet to your requirements. And probably you
need to translate prefixes configured for your vlans independently.
--=20
WBR, Andrey V. Elsukov
--Qo7f7gLTuFsLwUxFqH9iXR71pR9Qb4nOo--
--CueFjnWV1aGbTRKWeDcjoHWXWPmehqWKG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllncaYACgkQAcXqBBDI
oXqW8Af9EWg6ZQlYUzJNA1LrHwfidVi2IOlZz+Qs3sS3yi9LYXTTzG3zRQUXMihl
eLrhUAvrS3ro7PRLPyJ5gkueb30WXKCs3ZVyx2KSHLqQAqNHNLuFhwhDrQiMEoBg
IKNMinDa2YUSdTpEbH0+2VPsdrigtK69wglqr7LOJsn04KCJFx5Gj6krwFgXQYXe
PCMiGwycRSbMWk9YwzNETmoD1/0JRJO4PfUOvasGSOm4DdSqLX2eF894CZScTp+o
whxTM35yfbuKGZQkpSRifDJ0kJofSfsVdG8pfMDY7TRKyD5SrG5PyOSDebozOE7o
X+M8ooNa7DHg3obdXmgJYe/TmA4dGg==
=MKWA
-----END PGP SIGNATURE-----
--CueFjnWV1aGbTRKWeDcjoHWXWPmehqWKG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c9679df1-e809-3d2b-9432-88664aae3b0a>