From owner-freebsd-current@freebsd.org Thu Jul 13 13:15:15 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CCA2DA25E0; Thu, 13 Jul 2017 13:15:15 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward4o.cmail.yandex.net (forward4o.cmail.yandex.net [IPv6:2a02:6b8:0:1a72::289]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C1969776A4; Thu, 13 Jul 2017 13:15:14 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2j.mail.yandex.net (smtp2j.mail.yandex.net [IPv6:2a02:6b8:0:801::ac]) by forward4o.cmail.yandex.net (Yandex) with ESMTP id C510220677; Thu, 13 Jul 2017 16:15:02 +0300 (MSK) Received: from smtp2j.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2j.mail.yandex.net (Yandex) with ESMTP id DF3123EC0F75; Thu, 13 Jul 2017 16:15:00 +0300 (MSK) Received: by smtp2j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id Z9qNUibgxw-Ex0Sa5rQ; Thu, 13 Jul 2017 16:14:59 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1499951699; bh=lI4DhTat2PvGVy7CxSqDLMwksZ329a00wffknnl0l/U=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=soD35o8jNWNu/elsQYJljUo3jh9vTKLUP7SVx9Mfx4aVfQpb1PJAuqvOObstlD8vX rWokZmz3xiPu0IRcH+j70mwkXqE1AP+5Q61DnhtQKRkui0ttLbYAJdMXxzECQZIpFJ oyD5v5AdxCw4Ehv8PFeHrKW1bPgx4hIOXu6vdu5M= Authentication-Results: smtp2j.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0,1 0 Subject: Re: Inter-VLAN routing on CURRENT: any known issues? To: "O. Hartmann" , FreeBSD CURRENT , FreeBSD Questions References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Thu, 13 Jul 2017 16:12:06 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="CueFjnWV1aGbTRKWeDcjoHWXWPmehqWKG" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jul 2017 13:15:15 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --CueFjnWV1aGbTRKWeDcjoHWXWPmehqWKG Content-Type: multipart/mixed; boundary="Qo7f7gLTuFsLwUxFqH9iXR71pR9Qb4nOo"; protected-headers="v1" From: "Andrey V. Elsukov" To: "O. Hartmann" , FreeBSD CURRENT , FreeBSD Questions Message-ID: Subject: Re: Inter-VLAN routing on CURRENT: any known issues? References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> In-Reply-To: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de> --Qo7f7gLTuFsLwUxFqH9iXR71pR9Qb4nOo Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 12.07.2017 22:43, O. Hartmann wrote: > Now the FUN PART: >=20 > From any host in any VLAN I'm able to ping hosts on the wild internet v= ia their IP, on > VLAN 1000 there is a DNS running, so I'm also able to resolv names like= google.com or > FreeBSD.org. But I can NOT(!) access any host via http/www or ssh.=20 You have not specified where is the NAT configured and its settings is matters. VLANs work on the layer2, they do not used for IP routing. Each received packet loses its layer2 header before it gets taken by IP stack. If an IP packet should be routed, the IP stack determines outgoing interface and new ethernet header with VLAN header from this interface is prepended= =2E What I would do in your place: 1. Check the correctness of the switch settings. - on the router use tcpdump on each vlan interface and also directly on igb1. Use -e argument to see ethernet header. Try ping router's IP address from each vlan, you should see tagged packet on igb1 and untagged on corresponding vlan interface. 2. Check the correctness of the routing settings for each used node. - to be able establish connection from one vlan to another, both nodes must have a route to each other. 3. Check the NAT settings. - to be able to connect to the Internet from your addresses, you must use NAT. If you don't have NAT, but it somehow works, this means that some device does the translation for you, but it's configuration does not meet to your requirements. And probably you need to translate prefixes configured for your vlans independently. --=20 WBR, Andrey V. Elsukov --Qo7f7gLTuFsLwUxFqH9iXR71pR9Qb4nOo-- --CueFjnWV1aGbTRKWeDcjoHWXWPmehqWKG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllncaYACgkQAcXqBBDI oXqW8Af9EWg6ZQlYUzJNA1LrHwfidVi2IOlZz+Qs3sS3yi9LYXTTzG3zRQUXMihl eLrhUAvrS3ro7PRLPyJ5gkueb30WXKCs3ZVyx2KSHLqQAqNHNLuFhwhDrQiMEoBg IKNMinDa2YUSdTpEbH0+2VPsdrigtK69wglqr7LOJsn04KCJFx5Gj6krwFgXQYXe PCMiGwycRSbMWk9YwzNETmoD1/0JRJO4PfUOvasGSOm4DdSqLX2eF894CZScTp+o whxTM35yfbuKGZQkpSRifDJ0kJofSfsVdG8pfMDY7TRKyD5SrG5PyOSDebozOE7o X+M8ooNa7DHg3obdXmgJYe/TmA4dGg== =MKWA -----END PGP SIGNATURE----- --CueFjnWV1aGbTRKWeDcjoHWXWPmehqWKG--