From owner-freebsd-current@freebsd.org Mon Jul 3 04:48:49 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B4C39DD9E7 for ; Mon, 3 Jul 2017 04:48:49 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E8232818CC for ; Mon, 3 Jul 2017 04:48:48 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from freyja.zeit4.iv.bundesimmobilien.de ([87.138.105.249]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MJGFi-1dQEao1YMs-002nhv; Mon, 03 Jul 2017 06:48:40 +0200 Date: Mon, 3 Jul 2017 06:48:39 +0200 From: "O. Hartmann" To: Freddie Cash Cc: "Hartmann, O." , FreeBSD-Current Subject: Re: static routes on VLAN on CURRENT Message-ID: <20170703064839.6c99b594@freyja.zeit4.iv.bundesimmobilien.de> In-Reply-To: References: <20170702133957.1f337a2e@hermann> Organization: Walstatt MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:Gvs0GAKyvqa6dLbahyRGNk+cAGtdryYS3eVQHAi0mno2UBqyjGX LHY9W3fCZ+Mv4A/dkqict2lFQ/8Dr41s7LKM02cZJlCWOln5dH/LAHx5uamLIqic2sX/mnr AJvwdwEJGWvyo8c8Wilq7zXfwTG57Ex3emGy9Xewh1fe9ZahZM00aiJjL37uzahpxG2bdC4 QurufqtK8tx8T2nWFfosA== X-UI-Out-Filterresults: notjunk:1;V01:K0:D+RBSWOjkoo=:n5IDkPG5FRLj2b065/4Pxr cEh/4ls/sUtNwe5FYXyF5yicoGWIF0oCuybFFPthI+TTLozGh1e4NbHyJY0CCqprtMXHpna1A mLcU0tctVLEai7jHcBqMNoNyK9pHRz7qhkHvabA79E5RnE+go/h3hkQmuCP+/PcaASjI0TSHG X86FdcKLunSe+q3Nc0InAqPfde/nFh76PC8s60jzRn/QG0zV/ivJVbz9dtfHawTa5/WBrBwUI xlYVvJtmmEXMcNS9osycEFppSXbPAcwfkDlRW8v8KhJSsTf76TqvuteUQv5LgLJUorA9IswbO 2P/qru3kWeKeYXIFKN6TekurX7x4WaEpLQZSQRPf661wKcih/MN8iJxFuE+bRhqKgxZnlMGRW TL+96squ0IYvHwcrEf6mg46gvnxRg845myTaZg5xTfURP3vLA4grIEiHbrgLTgnCqy/710mIT WmPcwQrPh+dZMACLqKyPH+RL+2G9RwT2xp/L6Y9oL2rl7jxsBmBgMFLxOXypzaK7XjX9H4+y8 8RK3drKqmKZBpVEqETl55i+jyqpwu2THmHZJ2mJNLSv/kjoAZhrYr29+PqoHHquxirOJigIdU 3oo5vEXOC9kOipTTKXG2DtM8jEDS6OK0vr2kpBg3wSeALeb1TMApsa7ErqnqN56KfycSqEgl8 /7OEW/6/SANslK1lwTz5fnjP5N0ZWAvQAywxw/B2L2/jLDLvdaCv/sruRDGZfTIKKSgjnvdeO Ag3AjHYEyW4yS/fx2zXuE89srCRH7UMOb17twIRLGSmZHy0g8YZR/2bhZLdlKnhKSSlQyIqWN N9Nphff X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2017 04:48:49 -0000 On Sun, 2 Jul 2017 13:17:54 -0700 Freddie Cash wrote: > On Jul 2, 2017 4:40 AM, "Hartmann, O." wrote: > > Fiddling around with a self-brewn router/firewall based on 12-CURRENT > and ipfw, I run into problems when setting up a trunk port with > different VLANs and static routes. > > The "router" has three NICs, igb0, igb1, igb2 (it is de facto an APU > 2C4 from PCengines). igb0 is attached to an external VDSL2+ Modem and > not connected at the moment. igb2 is also not connected yet. > > igb1 bears several VLANs: 2, 10, 100 (igb1.2, igb1.10 ...) and the > "native", untagged LAN (on igb1). > > > While it will sometimes work, I find that mixing tagged and untagged vlans > on a single interface leads to all kinds of silent failures and issues. > > Just make vlan 1 tagged on that interface and the switch port. Then ignore > igb1 completely, and only use the igb1.X interfaces for everything. A very good advice, but I didn't come that far since first I have to refactor the whole network and I didn't want to shoot myself into the foot. > > To not use a routing daemon due to the small size of my network, I > desided to use static routes, in rc.conf I placed the following > variables: > > static_routes="igb1.2 igb1.10" > route_igb1_2="-net 192.168.2.0/24 -interface igb1.2" > route_igb1_10="-net 192.168.10.0/24 -interface igb1.10" > > > You shouldn't need to add static routes as there routes will be added > automatically when you assign an IP/netmask to the interface. yes, I founf this out already - a bit disturbin, isn't it? The thinking behind my "solution" was not to route automatically. I think isolating networks needs to be done via ipfw then. Well, to be honest, the main issue is that there is the igb0 device, which will be attached to tun0 in case the VDSL modem is attached and receiving its IP from the ISP. FreeBSD's ppp client adds this device as the default route via add! default HISADDR add! default HISADDR6 The igb1.2 VLAN 2 in my scenario should be the interface for the VoIP facility - and it should be some kind restricted. The router itself is running NanoBSD 12-CURRENT and as soon as I have figured out to automatically create and install a small jail which then contains PBX, DNS et cetera, igb1.2 is then the jail's interface. And it should not interfere with my office's LAN by accident. > > Simplify things. Make everything tagged vlans, reduce your rc.conf to just > IP assignments to the sub interfaces, and see how things work. Build it up > from there. Good thinking. > > Cheers, > Freddie Thank you very much, Oliver