Date: Fri, 14 Jul 2017 15:00:30 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "O. Hartmann" <o.hartmann@walstatt.org>, FreeBSD CURRENT <freebsd-current@freebsd.org> Cc: "O. Hartmann" <ohartmann@walstatt.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Inter-VLAN routing on CURRENT: any known issues? Message-ID: <ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff@yandex.ru> In-Reply-To: <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de> References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> <c9679df1-e809-3d2b-9432-88664aae3b0a@yandex.ru> <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --TXHdgUq6MEvt6OL3RlEmnGILovVvSBmw9 Content-Type: multipart/mixed; boundary="NH8mmNxt8NVIXXsa6qm9RF0ES8NfiqlBV"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "O. Hartmann" <o.hartmann@walstatt.org>, FreeBSD CURRENT <freebsd-current@freebsd.org> Cc: "O. Hartmann" <ohartmann@walstatt.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Message-ID: <ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff@yandex.ru> Subject: Re: Inter-VLAN routing on CURRENT: any known issues? References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> <c9679df1-e809-3d2b-9432-88664aae3b0a@yandex.ru> <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de> In-Reply-To: <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de> --NH8mmNxt8NVIXXsa6qm9RF0ES8NfiqlBV Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 14.07.2017 14:42, O. Hartmann wrote: > I use in-kernel NAT. IPFW is performing NAT. In firewall type "OPEN" fr= om the > vanilla rc.conf, IPFW has instance "nat 123" which provides then NAT. I never used default config types for firewall, so, it would be nice to see what rules do you have. # ipfw show # ipfw nat show config >> VLANs work on the layer2 > According to 1): >=20 > I consider the settings of the switch now as correct. I have no access = to the > router right now. But I did short experiments yesterday evening and it = is > weird: loged in on thr router, I can ping every host on any VLAN, so IC= MP > travel from the router the right way to its destination and back. >=20 > From any host on any VLAN that is "trunked" through the router, I can p= ing any > other host on any other VLAN, preferrably not on the same VLAN. By cutt= ing off > the trunk line to the router, pinging stops immediately. >=20 > From any host on any VLAN I can ping any host which is NATed on the out= side > world. >=20 > From the router itself, I can ssh into any host on any VLAN providing s= sh > service. That said, according to question 3), NAT is considered to be s= etup > correctly. >=20 > Now the strange things: Neither UDP, nor TCP services "flow" from hosts= on one > VLAN to hosts on a different VLAN. Even ssh doens't work.=20 > When loged in onto the router, I can't "traceroute" any host on any VLA= N. This is most likely due to the problem with firewall rules. If you set net.inet.ip.firewall.enable=3D0, does it solve the problem wit= h TCP/UDP between hosts on a different VLANs? > According to question 2), the ability to ping from, say, a host on VLAN= 1000 to > another host on VLAN 2 passing through the router would indicate that b= oth > sides know their routes to each other. Or am I wrong? Yes. > I got words from Sean bruno that there might be a problem with the Inte= l i210 > chipset in recent CURRENT - and the hardware on the PCEngine APU 2C4 is= three > i210. I'm aware of the problem since r320134 (the oldest CURRENT I star= ted > experimenting with the VLAN trunking). It is very strange problems, why ICMP works, but TCP/UDP does not? :) You can try to disable any type of offloading for the card, there were some problems in the past with checksum offlading, that may lead to the problems with TCP, but this usually should be noticeable in the tcpdump output. --=20 WBR, Andrey V. Elsukov --NH8mmNxt8NVIXXsa6qm9RF0ES8NfiqlBV-- --TXHdgUq6MEvt6OL3RlEmnGILovVvSBmw9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllosl4ACgkQAcXqBBDI oXoaNggApk+Q/cCZ1kLczxIfdM2yJFK12Sx5C+uxBkRZ7v2LBKaFwgFwu/3EAHbx wC46VzAC6rqeVemP99NqWyfdLRCc2cjxJNqxGFiSAhI7FqkTqLjHPjuRg4wofj2Y sXXVBXPS8BrWci304nX0anuHXxxZgk65ajvXFTfrebU/jw/6MWSNZrS++rPGGlxR wP2JR6S7TVyJMiD+tnLQu/jZY8QpzCPpgg0HMQmB0n9W30AeZMaz6GHv000UxQ55 e2AX5RdxBoFdW3u3Kol8fOTC1Tez97SH30xa03KQzm4GeUw3koK0T31sPPdAZA8P TpGxiSE0JxdvRS9zK+4NcgJucbgBqg== =2EMb -----END PGP SIGNATURE----- --TXHdgUq6MEvt6OL3RlEmnGILovVvSBmw9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff>