From owner-freebsd-net@FreeBSD.ORG Mon Jun 23 19:59:58 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5CF71065671 for ; Mon, 23 Jun 2008 19:59:58 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from aurynhome1sv1.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with SMTP id 865718FC24 for ; Mon, 23 Jun 2008 19:59:56 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: (qmail 25556 invoked by uid 98); 23 Jun 2008 19:59:54 -0000 Received: from 192.168.229.11 by aurynhome1sv1.zirakzigil.org (envelope-from , uid 89) with qmail-scanner-1.25 ( Clear:RC:1(192.168.229.11):. Processed in 0.040082 secs); 23 Jun 2008 19:59:54 -0000 X-Qmail-Scanner-Mail-From: auryn@zirakzigil.org via aurynhome1sv1.zirakzigil.org X-Qmail-Scanner: 1.25 (Clear:RC:1(192.168.229.11):. Processed in 0.040082 secs) Received: from unknown (HELO aurynhome1ws2.zirakzigil.org) (postmaster@zirakzigil.org@192.168.229.11) by 0 with SMTP; 23 Jun 2008 19:59:54 -0000 Message-ID: <486000B5.9090703@zirakzigil.org> Date: Mon, 23 Jun 2008 21:59:49 +0200 From: Giulio Ferro User-Agent: Thunderbird 2.0.0.0 (X11/20070513) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Problem clarification (was: Problems with vlan + carp + alias) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2008 19:59:59 -0000 After some more tests I've finally realized that the problem is with vlan and alias. I've taken carp out of the picture. (Please read my previous message on the topic to understand the scenario, I've reported it below) Here is what matters in /etc/rc.conf: ----------------------------------------------------------- ... ifconfig_bce0="inet 192.168.26.1 netmask 255.255.255.0" ... ifconfig_vlan128="inet x.y.z.132 netmask 255.255.255.224 vlan 128 vlandev bce0" ifconfig_vlan128_alias0="x.y.z.133 netmask 255.255.255.255" ifconfig_vlan128_alias1="x.y.z.134 netmask 255.255.255.255" ifconfig_vlan128_alias2="x.y.z.135 netmask 255.255.255.255" ifconfig_vlan128_alias3="x.y.z.136 netmask 255.255.255.255" ifconfig_vlan128_alias4="x.y.z.137 netmask 255.255.255.255" ifconfig_vlan128_alias5="x.y.z.138 netmask 255.255.255.255" ifconfig_vlan128_alias6="x.y.z.139 netmask 255.255.255.255" ifconfig_vlan128_alias7="x.y.z.140 netmask 255.255.255.255" ifconfig_vlan128_alias8="x.y.z.141 netmask 255.255.255.255" ... defaultrouter="x.y.z.129" ----------------------------------------------------------- netstat -rn ----------------------------------------------------------- default x.y.z.129 UGS 0 9869 vlan12 x.y.z.128/27 link#11 UC 0 0 vlan12 x.y.z.129 00:00:0c:07:ac:0a UHLW 2 52 vlan12 1107 x.y.z.130 00:d0:03:8a:9b:fc UHLW 1 0 vlan12 1147 x.y.z.131 00:d0:03:8a:9b:fd UHLW 1 0 vlan12 1144 x.y.z.133/32 link#11 UC 0 0 vlan12 x.y.z.134/32 link#11 UC 0 0 vlan12 x.y.z.135/32 link#11 UC 0 0 vlan12 x.y.z.136/32 link#11 UC 0 0 vlan12 x.y.z.137/32 link#11 UC 0 0 vlan12 x.y.z.138/32 link#11 UC 0 0 vlan12 x.y.z.139/32 link#11 UC 0 0 vlan12 x.y.z.140/32 link#11 UC 0 0 vlan12 x.y.z.141/32 link#11 UC 0 0 vlan12 ----------------------------------------------------------- ifconfig vlan128 ----------------------------------------------------------- vlan128: flags=8843 metric 0 mtu 1500 options=3 ether 00:1e:c9:ad:fa:c9 inet x.y.z.132 netmask 0xffffffe0 broadcast x.y.z.159 inet x.y.z.133 netmask 0xffffffff broadcast x.y.z.133 inet x.y.z.134 netmask 0xffffffff broadcast x.y.z.134 inet x.y.z.135 netmask 0xffffffff broadcast x.y.z.135 inet x.y.z.136 netmask 0xffffffff broadcast x.y.z.136 inet x.y.z.137 netmask 0xffffffff broadcast x.y.z.137 inet x.y.z.138 netmask 0xffffffff broadcast x.y.z.138 inet x.y.z.139 netmask 0xffffffff broadcast x.y.z.139 inet x.y.z.140 netmask 0xffffffff broadcast x.y.z.140 inet x.y.z.141 netmask 0xffffffff broadcast x.y.z.141 media: Ethernet autoselect (1000baseTX ) status: active vlan: 128 parent interface: bce0 ----------------------------------------------------------- Tests: No problem when I try to ping the default gateway from my fw No problem when I ping my fw from an external internet address Problems: - I cannot ping the router from one of the aliased address: ping -S x.y.z.133 x.y.z.129 - I cannot ping the aliased addresses from an external internet address Note : I can see the packets with tcpdump travelling from and to the aliased address. It seems the interface won't process them for some reason. This seems suspiciously like a bug to me... -------------------------------------------------------------------------------------- (previous message on vlan + carp +alias) -------------------------------------------------------------------------------------- Primeroz lists wrote: > What is tcpdump showing for ping on 192.168.10.11 > ? can you see echo reply exiting vlan10 > interface ? > > what if you try from your server to "ping -S 192.168.10.11 > 192.168.10.254 " ? > > > First of all I'm sorry for the late reply. Yesterday I could do some more in-depth test to analyze this strange behavior of my firewall. The 192.168.10.0/24 range I used in the previous example isn't the real one, I just used it for simplicity´s sake. The true range, the one which has been assigned by the ISP to my customer is: x.y.z.128/27. (x.y.z corresponds to a true public IP address) I've deactivated the firewall, so we have one less thing to worry about: /etc/rc.d/pf stop This is a pure network configuration issue. Here is the relevant part in /etc/rc.conf: --------------------------------------------------- ... ifconfig_bce0="inet 192.168.26.1 netmask 255.255.255.0" ... cloned_interfaces="vlan5 vlan25 vlan30 vlan40 vlan128 carp5 carp25 carp30 carp40 carp128" ... ifconfig_vlan128="inet x.y.z.157 netmask 255.255.255.224 vlan 128 vlandev bce0" ... ifconfig_carp128="vhid 128 pass qweq x.y.z.132 netmask 255.255.255.255" ifconfig_carp128_alias0="x.y.z.133 netmask 255.255.255.255" ifconfig_carp128_alias1="x.y.z.134 netmask 255.255.255.255" ifconfig_carp128_alias2="x.y.z.135 netmask 255.255.255.255" ifconfig_carp128_alias3="x.y.z.136 netmask 255.255.255.255" ifconfig_carp128_alias4="x.y.z.137 netmask 255.255.255.255" ifconfig_carp128_alias5="x.y.z.138 netmask 255.255.255.255" ifconfig_carp128_alias6="x.y.z.139 netmask 255.255.255.255" ifconfig_carp128_alias7="x.y.z.140 netmask 255.255.255.255" ifconfig_carp128_alias8="x.y.z.141 netmask 255.255.255.255" ... defaultrouter="x.y.z.129" --------------------------------------------------- On my managed switch I've set 2 ports: 1) the one where the bce0 interface is plugged in : mode trunk with all the vlans above 2) the one where the ISP internet is plugged in : mode access with vlan 128 I've also set the ip interface of my switch to x.y.z.155 vlan 128 Here is the relevant part of netstat -rn on my machine --------------------------------------------------- default x.y.z.129 UGS 0 13966 vlan12 x.y.z/27 link#11 UC 0 0 vlan12 x.y.z.132 x.y.z.132 UH 0 0 carp12 x.y.z.133 x.y.z.133 UH 0 0 carp12 x.y.z.134 x.y.z.134 UH 0 0 carp12 x.y.z.135 x.y.z135 UH 0 0 carp12 x.y.z.136 x.y.z.136 UH 0 0 carp12 x.y.z.137 x.y.z.137 UH 0 0 carp12 x.y.z.138 x.y.z.138 UH 0 0 carp12 x.y.z.139 x.y.z.139 UH 0 0 carp12 x.y.z.140 x.y.z.140 UH 0 0 carp12 x.y.z.141 x.y.z.141 UH 0 0 carp12 x.y.z.155 00:1e:c9:90:4a:c0 UHLW 1 8 vlan12 1183 --------------------------------------------------- Here come the tests. 1) From the firewall : basic I can ping both the default gateway (x.y.z.129) and the switch interface (x.y.z.155) I can ping a generic internet address (a.b.c.d) With tcpdump I can see the packets leaving as x.y.z.157 and coming with the same address 2) from the switch : basic I can ping the firewall's vlan address (x.y.z.157) I can ping _ALL_ the carp interfaces, base and alias: ping x.y.z.157 -> OK ping x.y.z.132 -> OK ping x.y.z.133 -> OK ... ping x.y.z.141 -> OK 3) from the internet : basic From an external internet address I can ping the vlan address: ping x.y.z.157 -> OK 4) from the firewall : advanced From the firewall I can ping the switch address from one of the carp base and aliased address: ping -S x.y.z.132 x.y.z.155 -> OK ping -S x.y.z.133 x.y.z.155 -> OK I _cannot_ ping the default router from one of the carp addresses: ping -S x.y.z.132 x.y.z.129 -> NOT OK ping -S x.y.z.133 x.y.z.129 -> NOT OK By using tcpdump on the vlan128 interface I can see the packets _BOTH_ leaving and coming from the carp addresses. It just seems that the carp interfaces can't process the packets properly. 5) from the internet : advanced From an external internet address I _cannot_ ping the carp addresses (x.y.z.132 and up) As above, I can see the incoming packets with tcpdump -i vlan128 -n icmp Ok, that was long. I hope someone can help to shed light into this, to see whether this is a bug or not. I stress again that the _same_ configuration works as it should on a physical (non-vlan) interface.