From owner-freebsd-current@freebsd.org Tue Jul 4 07:18:23 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D903CD874CD for ; Tue, 4 Jul 2017 07:18:23 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 56A487066E for ; Tue, 4 Jul 2017 07:18:22 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from freyja.zeit4.iv.bundesimmobilien.de ([87.138.105.249]) by mail.gmx.com (mrgmx003 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LtIdP-1dpmI90eDb-012tMX; Tue, 04 Jul 2017 09:18:14 +0200 Date: Tue, 4 Jul 2017 09:18:13 +0200 From: "O. Hartmann" To: Milan Obuch Cc: freebsd-current@freebsd.org, Freddie Cash Subject: Re: static routes on VLAN on CURRENT Message-ID: <20170704091813.4a41bb61@freyja.zeit4.iv.bundesimmobilien.de> In-Reply-To: <20170702211217.0d22b349@zeta.dino.sk> References: <20170702133957.1f337a2e@hermann> <20170702143934.2bbcc98a@zeta.dino.sk> <20170702201344.274eb23d@hermann> <20170702211217.0d22b349@zeta.dino.sk> Organization: Walstatt MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:1Pmsy6eSI/pyMqkxxUchpnugO81CMB/Ap+nYmyVq9VphSSRkr0o 7dG5192FUBai/oW70jcYOX0v8R58A1GFk2g54gziqI4vHtcxo+mo0oAFO88R4kdDPNYsuOx lAdb+Wg7mIU/ywn/ELbIu4NO3YVyuIe0qcmE+xFOCy+a69eFsda2ZhR0lkFg/ip5kurZwuO /RKk9VtC7eCb4ufIxz8WQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:gznXLrpdsOQ=:viXS689oB46qGbfHqXboKW 5mQCiivfUhViL36pBkqYcWYIhL2NWKLgErV74Ey8jd7h8bL+AAcg2mY8MY+apABx9GgRbL3HH K58Lo51jyDxSaMww0mmCznogqZopgQ+Nki3eaoelW8sISLuVKFkCtXT8S7fWNS20+bPkKyjAT OpfSQ2jdiCIg6L8SUEM8tapqfzYUpzjG8WQx581PMIhBx6v0pt6XPeQ0yyRIPZw986bB60Pl8 9WxeVYw61ggIbHCAnffITzOSIQsgVJ2lAsTpqrOIFByNUXwk4nusXlCQG/EMOr84LGb7MUE3G ZZ8Tlb1U8B0IYQQ0fQ1kshmTTt7v1VGnCAC7FvJYCRjcZ5LqZhYyDuWAuVqqoMQLRiImDO0tK jqMFlpWw6vGq6ieKLUoY+KXOQLrifyrsF6G7/40Xf2+zkVb6RHknKSpMjD+zV1DufI2/95tiP xaYXN619FW24BrBy0FafKT+x3LBhxDJ+eCudIfySRWmUdErEDkt3vNt/VJOICS0TIxF4mzyT9 VSztIlWTBVT5lmHFNUq+l1VOs3rBGGyl9asN1SpFFT9sCccfWUEVIVoESPPQ14amr1dfrTK3B yXRHQ3QnQzk6wo9aPpBBnmqyNu3V3BQgEsQG+ICMz6c2RjHh3v2SVe/oq/ee/HaV6ua+m7IMh DAg6KrZKZg3/TUq1cyDWI5no/U/CUV+beUMkfOl35RnwhIqTCYhtDcDsecW3aiQYBQVMfugjv 3lK8t8xiAut/zeV3yRMwyCJYQcYejhM1dLKjg7wjERuQutbIs3gatUL7s5GaiZvUHCOF6uVR7 5fzF1DG X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2017 07:18:23 -0000 On Sun, 2 Jul 2017 21:12:17 +0200 Milan Obuch wrote: > On Sun, 2 Jul 2017 20:13:49 +0200 > "Hartmann, O." wrote: > > > On Sun, 2 Jul 2017 14:39:34 +0200 > > Milan Obuch wrote: > > [ snip ] > > > > > To not use a routing daemon due to the small size of my network, I > > > > desided to use static routes, in rc.conf I placed the following > > > > variables: > > > > > > > > static_routes="igb1.2 igb1.10" > > > > route_igb1_2="-net 192.168.2.0/24 -interface igb1.2" > > > > route_igb1_10="-net 192.168.10.0/24 -interface igb1.10" > > > > > > > > igb1 is assigned to IP/NET 192.168.0.1/24 > > > > > > Just to be exact, could you show us ifconfig lines from rc.conf as well? > It is common to have something like > > cloned_interfaces="igb1.2 igb1.10" > ifconfig_igb1_2="192.168.2.1/24" > ifconfig_igb1_10="192.168.10.1/24" > > and no static routes as you showed, because address assigned to > interface means automatically line in route table, however, they should > look identical to those shown in your first mail. > > > > > netstat -Warn gives me (as dummy, since I have no direct access to > > > > the box via serial console from the system I write this mail): > > > > > > > > Internet: > > > > Destination Gateway Flags Use Mtu Netif > > > > 127.0.0.1 link#3 UH 334564 16384 lo0 > > > > 192.168.0.0/24 link#4 U 23452 1500 > > > > igb1 192.168.0.1 link#4 UHS 29734 > > > > 16384 lo0 192.168.2.0/24 link#5 U > > > > 271 1500 igb1.2 192.168.2.1 link#5 UHS 0 > > > > 16384 lo0 > > > > > > I think you did not include network 192.168.10.0/24 on igb1.10... > > > > I skipped that, it is quite the same according to the settings of the > > others and unused for now. So it doesn't matter. But you're right. > > > > This was just for tha sake of completteness, nothing else. > > [ sysctl stuff snipped - not relevant, I think ] > > > > > From the routing device itself, it is possible to ssh into a VoIP > > > > client attached to the switch to which igb1.2 trunks the net. > > > > Pinging is also possible. > > > > > > > > Attached to igb1 is the 192.168.0.1/24 network with a bunch of > > > > hosts. From any host within this network it is possible to ping > > > > the 192.168.2.0/24 network and its hosts within, but no SSH, not > > > > web (80, 443). > > > > > > > > > > Weird - if icmp (ping) works and tcp (web, ssh) not, something is > > > filtering traffic. But with net.inet.ip.forwarding=0, even pinging > > > host should not work. Try tcpdump to see what's going on. > > > > net.inet.ip.forwarding works as expected. See above, I confused the > > OID. > > > > [ snip ] > > > > From network architecture view, there is no difference - vlan is > > > network interface just like physical ethernet. Basically everything > > > is the same (sometimes there is issue with mtu, but this hardware > > > dependent). > > > > Yes, so I thought, but as you stated, something is filtering and I > > have no clue what. > > > > Then I just recommend tcpdump - I would use 'tcpdump -nepi igb1.2 host > 192.168.0.x and host 192.168.2.y' and 'tcpdump -nepi igb1 host > 192.168.0.x and host 192.168.2.y' in two session and compare outputs > when pinging from 192.168.0.x to 192.168.2.y and when trying to ssh > from the former to the later. Also there is a question then what these > two devices are, what OS are they running, their network > configuration... then we can analyse the problem better. > > Regards, > Milan [...] Well, some news from a "lost" night at the HomeOfficeFrontier. I followed the advices given by you (Milan and Freddie), except the tcpdump sessions, because I also had some trouble with the ISP's connection. But: Having setup the router's interface to igb1.10 (vlan 10) revealed some serious problems with the setup of the switch I use in the HomeOffice. We use mostly Cisco switches. It is easy to assign ports to a certain VLAN and leave them "untagged", but the uplink port (Cisco calls this port trunk port or etherport) has, of course, "tagged" etherframes. The switch is a Netgear GS110TP, the uplinkport is g9 (SFP copper). This tagged port is attached via CAT 6 cable to the igb1 of the router. The router, the FreeBSD 12-CURRENT box in question here, has VLANs 2, 10, 66 and 100 assigned to this port, but I use only 2 and 10 at the moment. vlan 2 is, as explained above, the VoIP network, its switchport is g8 which "must" be tagged to reach the Grandstream VoIP phone, which has 802.1q tag 2. So, as Freddie Cash suggested, I assigned my native LAN (192.168.0.1/24) to igb1.10 and assigned the uplink port of the switch also to be member of vlan 10 "tagged" and put also the other ports (3 ports) with hosts attached to the net 192.168.0.1/24 into the group of VLAN 10. The moment I put a port with a host in vlan group 10 out of the default group (vlan 1), the host is not reachable anymore. This confuses me and I think the problem is more related to the weird Netgear stuff than FreeBSD. At least, the router should send ICMP packages tagged with vlan 10 via the trunk port to its vlang 10-gruoped (untagged) ports, on which a freeBSD host is listening with an interface not assigned to a vlan. I have not checked what happens if the one host of this group has its NIC put into the vlan 10. There is probably a different handling of Ingress and Egress etherframes on that Netgear GS110TP switch which I have not thought of. Anyway, thank you very much for helping. Kind regards, Oliver