Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 16 Jul 2017 23:05:14 +0200
From:      "O. Hartmann" <ohartmann@walstatt.org>
To:        "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc:        FreeBSD CURRENT <freebsd-current@freebsd.org>, "O. Hartmann" <ohartmann@walstatt.org>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Inter-VLAN routing on CURRENT: any known issues?
Message-ID:  <20170716230514.0c2e5c65@thor.intern.walstatt.dynvpn.de>
In-Reply-To: <ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff@yandex.ru>
References:  <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> <c9679df1-e809-3d2b-9432-88664aae3b0a@yandex.ru> <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de> <ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff@yandex.ru>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
--Sig_/3qsbMR6CK7Fssjmpq_roxte
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Am Fri, 14 Jul 2017 15:00:30 +0300
"Andrey V. Elsukov" <bu7cher@yandex.ru> schrieb:

> On 14.07.2017 14:42, O. Hartmann wrote:
> > I use in-kernel NAT. IPFW is performing NAT. In firewall type "OPEN" fr=
om the
> > vanilla rc.conf, IPFW has instance "nat 123" which provides then NAT. =
=20
>=20
> I never used default config types for firewall, so, it would be nice to
> see what rules do you have.
>=20
> # ipfw show
> # ipfw nat show config
>=20
> >> VLANs work on the layer2 =20
> > According to 1):
> >=20
> > I consider the settings of the switch now as correct. I have no access =
to the
> > router right now. But I did short experiments yesterday evening and it =
is
> > weird: loged in on thr router, I can ping every host on any VLAN, so IC=
MP
> > travel from the router the right way to its destination and back.
> >=20
> > From any host on any VLAN that is "trunked" through the router, I can p=
ing any
> > other host on any other VLAN, preferrably not on the same VLAN. By cutt=
ing off
> > the trunk line to the router, pinging stops immediately.
> >=20
> > From any host on any VLAN I can ping any host which is NATed on the out=
side
> > world.
> >=20
> > From the router itself, I can ssh into any host on any VLAN providing s=
sh
> > service. That said, according to question 3), NAT is considered to be s=
etup
> > correctly.
> >=20
> > Now the strange things: Neither UDP, nor TCP services "flow" from hosts=
 on one
> > VLAN to hosts on a different VLAN. Even ssh doens't work.=20
> > When loged in onto the router, I can't "traceroute" any host on any VLA=
N. =20
>=20
> This is most likely due to the problem with firewall rules.
> If you set net.inet.ip.firewall.enable=3D0, does it solve the problem with
> TCP/UDP between hosts on a different VLANs?
>=20
> > According to question 2), the ability to ping from, say, a host on VLAN=
 1000 to
> > another host on VLAN 2 passing through the router would indicate that b=
oth
> > sides know their routes to each other. Or am I wrong? =20
>=20
> Yes.
>=20
> > I got words from Sean bruno that there might be a problem with the Inte=
l i210
> > chipset in recent CURRENT - and the hardware on the PCEngine APU 2C4 is=
 three
> > i210. I'm aware of the problem since r320134 (the oldest CURRENT I star=
ted
> > experimenting with the VLAN trunking). =20
>=20
> It is very strange problems, why ICMP works, but TCP/UDP does not? :)
> You can try to disable any type of offloading for the card, there were
> some problems in the past with checksum offlading, that may lead to the
> problems with TCP, but this usually should be noticeable in the tcpdump
> output.
>=20

I have not have any success on this and I must ask now, to not make a fool =
out of my
self, whether the concept of having several vlan over one single NIC is pos=
sible with
FreeBSD (12-CURRENT, as of today, r321055.

Since it is even not possible to "route" from a non-tagged igb1 to a tagged=
 vlan igb1.2
or igb1.66 (for instance) on the same NIC, I have a faint suspect that I'm =
doing
something terribly wrong.

I think everyone working with vlan should have those problems, but since I =
can not find
anything on the list, I must do something wrong - my simple conclusion.

What is it?

--=20
O. Hartmann

Ich widerspreche der Nutzung oder =C3=9Cbermittlung meiner Daten f=C3=BCr
Werbezwecke oder f=C3=BCr die Markt- oder Meinungsforschung (=C2=A7 28 Abs.=
 4 BDSG).

--Sig_/3qsbMR6CK7Fssjmpq_roxte
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iLUEARMKAB0WIQQZVZMzAtwC2T/86TrS528fyFhYlAUCWWvVCgAKCRDS528fyFhY
lAl3Af0XWwi6ukI4Mjcqly58kMFC16v84uUwL1TO4j0Y3mSnpcqCnKwPymqioc4l
VWlZHt48wol9w/xQsqjA6D0Xn9E7Af9s5YSNQBMb0VCVjr5ocbVx5uY2zyndzWh9
mc6J/gb41XR4sEF5/jm3DIWYnHoU8QTvdukbIpS2oJ8xPLn1VjwP
=pHUN
-----END PGP SIGNATURE-----

--Sig_/3qsbMR6CK7Fssjmpq_roxte--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20170716230514.0c2e5c65>