Date: Sun, 16 Jul 2017 23:05:14 +0200 From: "O. Hartmann" <ohartmann@walstatt.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, "O. Hartmann" <ohartmann@walstatt.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Inter-VLAN routing on CURRENT: any known issues? Message-ID: <20170716230514.0c2e5c65@thor.intern.walstatt.dynvpn.de> In-Reply-To: <ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff@yandex.ru> References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> <c9679df1-e809-3d2b-9432-88664aae3b0a@yandex.ru> <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de> <ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/3qsbMR6CK7Fssjmpq_roxte Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Am Fri, 14 Jul 2017 15:00:30 +0300 "Andrey V. Elsukov" <bu7cher@yandex.ru> schrieb: > On 14.07.2017 14:42, O. Hartmann wrote: > > I use in-kernel NAT. IPFW is performing NAT. In firewall type "OPEN" fr= om the > > vanilla rc.conf, IPFW has instance "nat 123" which provides then NAT. = =20 >=20 > I never used default config types for firewall, so, it would be nice to > see what rules do you have. >=20 > # ipfw show > # ipfw nat show config >=20 > >> VLANs work on the layer2 =20 > > According to 1): > >=20 > > I consider the settings of the switch now as correct. I have no access = to the > > router right now. But I did short experiments yesterday evening and it = is > > weird: loged in on thr router, I can ping every host on any VLAN, so IC= MP > > travel from the router the right way to its destination and back. > >=20 > > From any host on any VLAN that is "trunked" through the router, I can p= ing any > > other host on any other VLAN, preferrably not on the same VLAN. By cutt= ing off > > the trunk line to the router, pinging stops immediately. > >=20 > > From any host on any VLAN I can ping any host which is NATed on the out= side > > world. > >=20 > > From the router itself, I can ssh into any host on any VLAN providing s= sh > > service. That said, according to question 3), NAT is considered to be s= etup > > correctly. > >=20 > > Now the strange things: Neither UDP, nor TCP services "flow" from hosts= on one > > VLAN to hosts on a different VLAN. Even ssh doens't work.=20 > > When loged in onto the router, I can't "traceroute" any host on any VLA= N. =20 >=20 > This is most likely due to the problem with firewall rules. > If you set net.inet.ip.firewall.enable=3D0, does it solve the problem with > TCP/UDP between hosts on a different VLANs? >=20 > > According to question 2), the ability to ping from, say, a host on VLAN= 1000 to > > another host on VLAN 2 passing through the router would indicate that b= oth > > sides know their routes to each other. Or am I wrong? =20 >=20 > Yes. >=20 > > I got words from Sean bruno that there might be a problem with the Inte= l i210 > > chipset in recent CURRENT - and the hardware on the PCEngine APU 2C4 is= three > > i210. I'm aware of the problem since r320134 (the oldest CURRENT I star= ted > > experimenting with the VLAN trunking). =20 >=20 > It is very strange problems, why ICMP works, but TCP/UDP does not? :) > You can try to disable any type of offloading for the card, there were > some problems in the past with checksum offlading, that may lead to the > problems with TCP, but this usually should be noticeable in the tcpdump > output. >=20 I have not have any success on this and I must ask now, to not make a fool = out of my self, whether the concept of having several vlan over one single NIC is pos= sible with FreeBSD (12-CURRENT, as of today, r321055. Since it is even not possible to "route" from a non-tagged igb1 to a tagged= vlan igb1.2 or igb1.66 (for instance) on the same NIC, I have a faint suspect that I'm = doing something terribly wrong. I think everyone working with vlan should have those problems, but since I = can not find anything on the list, I must do something wrong - my simple conclusion. What is it? --=20 O. Hartmann Ich widerspreche der Nutzung oder =C3=9Cbermittlung meiner Daten f=C3=BCr Werbezwecke oder f=C3=BCr die Markt- oder Meinungsforschung (=C2=A7 28 Abs.= 4 BDSG). --Sig_/3qsbMR6CK7Fssjmpq_roxte Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iLUEARMKAB0WIQQZVZMzAtwC2T/86TrS528fyFhYlAUCWWvVCgAKCRDS528fyFhY lAl3Af0XWwi6ukI4Mjcqly58kMFC16v84uUwL1TO4j0Y3mSnpcqCnKwPymqioc4l VWlZHt48wol9w/xQsqjA6D0Xn9E7Af9s5YSNQBMb0VCVjr5ocbVx5uY2zyndzWh9 mc6J/gb41XR4sEF5/jm3DIWYnHoU8QTvdukbIpS2oJ8xPLn1VjwP =pHUN -----END PGP SIGNATURE----- --Sig_/3qsbMR6CK7Fssjmpq_roxte--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170716230514.0c2e5c65>