From owner-freebsd-current@freebsd.org  Fri Jul 14 12:03:42 2017
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EE0DFD9FFAF;
 Fri, 14 Jul 2017 12:03:42 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward5h.cmail.yandex.net (forward5h.cmail.yandex.net
 [IPv6:2a02:6b8:0:f35::15])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 90602632B7;
 Fri, 14 Jul 2017 12:03:42 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from smtp4p.mail.yandex.net (smtp4p.mail.yandex.net [95.108.252.166])
 by forward5h.cmail.yandex.net (Yandex) with ESMTP id 8BC96210F2;
 Fri, 14 Jul 2017 15:03:31 +0300 (MSK)
Received: from smtp4p.mail.yandex.net (localhost.localdomain [127.0.0.1])
 by smtp4p.mail.yandex.net (Yandex) with ESMTP id 0ED3A65011BD;
 Fri, 14 Jul 2017 15:03:27 +0300 (MSK)
Received: by smtp4p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 u1y8D25su2-3Qa4MN5M; Fri, 14 Jul 2017 15:03:26 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1500033806; bh=/99GvL//BUH+lze/IsxFJOR1AqSWy9p+/OgV2jDNW7Q=;
 h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To;
 b=SSpCQRFQlGnozB/ftWGhQCfUoMT6YbAtAzj1/Hz941ZXEMppxPv1VBcsuMLydMIhP
 9YhPHdPDiWL2pTe+P361toPO8QFSHGHlt8+A98aqSDDiyc4sdIur5wc7JbC9nfXr3i
 UBHXe7GiXc7/eaw4ylZ0UJa09LvVmeG3g//XTG8w=
Authentication-Results: smtp4p.mail.yandex.net; dkim=pass header.i=@yandex.ru
X-Yandex-Suid-Status: 1 0,1 0,1 0,1 0
Subject: Re: Inter-VLAN routing on CURRENT: any known issues?
To: "O. Hartmann" <o.hartmann@walstatt.org>,
 FreeBSD CURRENT <freebsd-current@freebsd.org>
Cc: "O. Hartmann" <ohartmann@walstatt.org>,
 FreeBSD Questions <freebsd-questions@freebsd.org>
References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de>
 <c9679df1-e809-3d2b-9432-88664aae3b0a@yandex.ru>
 <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Message-ID: <ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff@yandex.ru>
Date: Fri, 14 Jul 2017 15:00:30 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.0.1
MIME-Version: 1.0
In-Reply-To: <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="TXHdgUq6MEvt6OL3RlEmnGILovVvSBmw9"
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 12:03:43 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--TXHdgUq6MEvt6OL3RlEmnGILovVvSBmw9
Content-Type: multipart/mixed; boundary="NH8mmNxt8NVIXXsa6qm9RF0ES8NfiqlBV";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: "O. Hartmann" <o.hartmann@walstatt.org>,
 FreeBSD CURRENT <freebsd-current@freebsd.org>
Cc: "O. Hartmann" <ohartmann@walstatt.org>,
 FreeBSD Questions <freebsd-questions@freebsd.org>
Message-ID: <ca7a9e76-9ca3-33f9-c1ef-4c0afd0761ff@yandex.ru>
Subject: Re: Inter-VLAN routing on CURRENT: any known issues?
References: <20170712214334.4fc97335@thor.intern.walstatt.dynvpn.de>
 <c9679df1-e809-3d2b-9432-88664aae3b0a@yandex.ru>
 <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de>
In-Reply-To: <20170713211004.13492aef@thor.intern.walstatt.dynvpn.de>

--NH8mmNxt8NVIXXsa6qm9RF0ES8NfiqlBV
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 14.07.2017 14:42, O. Hartmann wrote:
> I use in-kernel NAT. IPFW is performing NAT. In firewall type "OPEN" fr=
om the
> vanilla rc.conf, IPFW has instance "nat 123" which provides then NAT.

I never used default config types for firewall, so, it would be nice to
see what rules do you have.

# ipfw show
# ipfw nat show config

>> VLANs work on the layer2
> According to 1):
>=20
> I consider the settings of the switch now as correct. I have no access =
to the
> router right now. But I did short experiments yesterday evening and it =
is
> weird: loged in on thr router, I can ping every host on any VLAN, so IC=
MP
> travel from the router the right way to its destination and back.
>=20
> From any host on any VLAN that is "trunked" through the router, I can p=
ing any
> other host on any other VLAN, preferrably not on the same VLAN. By cutt=
ing off
> the trunk line to the router, pinging stops immediately.
>=20
> From any host on any VLAN I can ping any host which is NATed on the out=
side
> world.
>=20
> From the router itself, I can ssh into any host on any VLAN providing s=
sh
> service. That said, according to question 3), NAT is considered to be s=
etup
> correctly.
>=20
> Now the strange things: Neither UDP, nor TCP services "flow" from hosts=
 on one
> VLAN to hosts on a different VLAN. Even ssh doens't work.=20
> When loged in onto the router, I can't "traceroute" any host on any VLA=
N.

This is most likely due to the problem with firewall rules.
If you set net.inet.ip.firewall.enable=3D0, does it solve the problem wit=
h
TCP/UDP between hosts on a different VLANs?

> According to question 2), the ability to ping from, say, a host on VLAN=
 1000 to
> another host on VLAN 2 passing through the router would indicate that b=
oth
> sides know their routes to each other. Or am I wrong?

Yes.

> I got words from Sean bruno that there might be a problem with the Inte=
l i210
> chipset in recent CURRENT - and the hardware on the PCEngine APU 2C4 is=
 three
> i210. I'm aware of the problem since r320134 (the oldest CURRENT I star=
ted
> experimenting with the VLAN trunking).

It is very strange problems, why ICMP works, but TCP/UDP does not? :)
You can try to disable any type of offloading for the card, there were
some problems in the past with checksum offlading, that may lead to the
problems with TCP, but this usually should be noticeable in the tcpdump
output.

--=20
WBR, Andrey V. Elsukov


--NH8mmNxt8NVIXXsa6qm9RF0ES8NfiqlBV--

--TXHdgUq6MEvt6OL3RlEmnGILovVvSBmw9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllosl4ACgkQAcXqBBDI
oXoaNggApk+Q/cCZ1kLczxIfdM2yJFK12Sx5C+uxBkRZ7v2LBKaFwgFwu/3EAHbx
wC46VzAC6rqeVemP99NqWyfdLRCc2cjxJNqxGFiSAhI7FqkTqLjHPjuRg4wofj2Y
sXXVBXPS8BrWci304nX0anuHXxxZgk65ajvXFTfrebU/jw/6MWSNZrS++rPGGlxR
wP2JR6S7TVyJMiD+tnLQu/jZY8QpzCPpgg0HMQmB0n9W30AeZMaz6GHv000UxQ55
e2AX5RdxBoFdW3u3Kol8fOTC1Tez97SH30xa03KQzm4GeUw3koK0T31sPPdAZA8P
TpGxiSE0JxdvRS9zK+4NcgJucbgBqg==
=2EMb
-----END PGP SIGNATURE-----

--TXHdgUq6MEvt6OL3RlEmnGILovVvSBmw9--