From owner-freebsd-net@FreeBSD.ORG Mon Apr 13 20:09:35 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CB141065670 for ; Mon, 13 Apr 2009 20:09:35 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by mx1.freebsd.org (Postfix) with SMTP id C50A88FC1A for ; Mon, 13 Apr 2009 20:09:34 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: (qmail 82706 invoked from network); 13 Apr 2009 20:09:32 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 13 Apr 2009 20:09:32 -0000 Date: Mon, 13 Apr 2009 22:09:32 +0200 (CEST) Message-Id: <20090413.220932.74699777.sthaug@nethelp.no> To: pcc@gmx.net From: sthaug@nethelp.no In-Reply-To: <20090413135402.78610@gmx.net> References: <20090413135402.78610@gmx.net> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Multiple default routes / Force external routing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 20:09:35 -0000 > I've poked about for weeks and asked similar questions in -questions and elsewhere without avail. Probably using the wrong keys to search and ask: > > I have set up a box with various vlan interfaces on it. I naively expected to be able to set individual "default" routes and route between them via an *external* router (and filter packets there etc.) but somehow all packets seem to "short-circuit" locally, and I don't seem to be able to see why this is so and how I prevent that. I found this behavior also, and it breaks POLA pretty badly. There are several problems with the multiple routing table support (via setfib) that I see: - I found I needed "options ROUTETABLES= ..." to have additional routing tables. I could not find this option documented anywhere. - The standard behavior when adding new routes (via ifconfig or route command) is that the route is added to all routing tables. Coming from a router/MPLS/L3VPN background, this is extremely counterintuitive. I found I needed to set the sysctl net.add_addr_allfibs to 0 to avoid this behavior. - Having two routing tables (one default, one table number 1 via setfib) I also expected to be able to route between these via external router. Pinging from the default routing table to routing table 1, traffic from the default routing table goes out to external router and in via other interface (in routing table 1) - but the ping reply is returned via the loopback interface on the FreeBSD host, without going out to the router. I assume this is the "short-circuit" you're talking about, and I find this behavior also very counterintuitive. If I explicitly ping from routing table 1 with ping prefixed by setfib 1, everything works as expected (traffic both ways go via external router). Steinar Haug, Nethelp consulting, sthaug@nethelp.no