From owner-freebsd-net@FreeBSD.ORG Wed Apr 20 16:00:22 2011 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78FA41065670 for ; Wed, 20 Apr 2011 16:00:22 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4F6838FC08 for ; Wed, 20 Apr 2011 16:00:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3KG0M1N037995 for ; Wed, 20 Apr 2011 16:00:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3KG0MTA037994; Wed, 20 Apr 2011 16:00:22 GMT (envelope-from gnats) Date: Wed, 20 Apr 2011 16:00:22 GMT Message-Id: <201104201600.p3KG0MTA037994@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Thomas Johnson Cc: Subject: re: kern/156408: [vlan] Routing failure when using VLANs vs. Physical ethernet interfaces. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Thomas Johnson List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2011 16:00:22 -0000 The following reply was made to PR kern/156408; it has been noted by GNATS. From: Thomas Johnson To: bug-followup@FreeBSD.org, tom@claimlynx.com Cc: Subject: re: kern/156408: [vlan] Routing failure when using VLANs vs. Physical ethernet interfaces. Date: Wed, 20 Apr 2011 10:21:27 -0500 --20cf307d01eeabd00704a15b2dba Content-Type: text/plain; charset=ISO-8859-1 After further investigation, I have learned some new information that may or may not be useful. Although I am able to connect from a host on the office lan over the bridge to hosts on the data center lan, the firewall itself is unable to connect to these same hosts. This can be corrected by adding host static routes to the firewall in the same manner as I described in my initial PR. This behavior appears to be a result of the 172.31.0.0/16 route pointing at the vlan500 interface, as I see ARP requests for dc hosts leave the firewall on the local lan (vlan500). By comparison, my existing/old firewall has a matching route for 172.31.0.0/16 pointing at the local lan (in that case, the lan is a physical adapter, not a vlan). Connections from the firewall to hosts at the dc lan work correctly, and I see ARP requests on both the lan interface and the vpn tap interface. -- Thomas Johnson ClaimLynx, Inc. --20cf307d01eeabd00704a15b2dba Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable After further investigation, I have learned some new information that may o= r may not be useful.

Although I am able to connect from a host on th= e office lan over the bridge to hosts on the data center lan, the firewall = itself is unable to connect to these same hosts. This can be corrected by a= dding host static routes to the firewall in the same manner as I described = in my initial PR. This behavior appears to be a result of the 172.31.0.0/16 route pointing at t= he vlan500 interface, as I see ARP requests for dc hosts leave the firewall= on the local lan (vlan500).

By comparison, my existing/old firewall has a matching route for 172.31.0.0/16 pointing at the local lan (in = that case, the lan is a physical adapter, not a vlan). Connections from the= firewall to hosts at the dc lan work correctly, and I see ARP requests on = both the lan interface and the vpn tap interface.

--
Thomas Johnson
ClaimLynx, Inc.
--20cf307d01eeabd00704a15b2dba--