Date: Tue, 14 Apr 2009 21:05:52 +0200 From: "Peter Cornelius" <pcc@gmx.net> To: Steve Bertrand <steve@ibctech.ca>, julian@elischer.org Cc: freebsd-net@freebsd.org, sthaug@nethelp.no Subject: Re: Multiple default routes / Force external routing Message-ID: <20090414190552.298990@gmx.net> In-Reply-To: <49E48799.1000300@ibctech.ca> References: <20090413135402.78610@gmx.net> <20090413.220932.74699777.sthaug@nethelp.no> <49E41755.8050701@elischer.org> <49E48799.1000300@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Re... Thanks for the numerous responses, first time I feel like home :) > >>> I have set up a box with various vlan interfaces on it. I naively > >>> expected to be able to set individual "default" routes and route > >>> between them via an *external* router (and filter packets there etc.) > >>> but somehow all packets seem to "short-circuit" locally, and I don't > >>> seem to be able to see why this is so and how I prevent that. > > > > I think you are rather confused about what Multiple FIBs is.. > > All it is is teh ability to make a packet use a particular > > FIB on it's outgoing path. There is not such thing as an interface > > being "In" a FIB. All interfaces are still visible to the routing code > > by default, and The IP stack still knows about them.I think the IP > > stack set's the 'loopback' flag on a packet regardless of the FIB > > selected if teh dest is one of its own addresses. Yup, that is roughly what I expected to hear from what I observed. Took a while to get there mentally though, sorry... > > What you want is VIMAGE. I haven't fiddled with that (yet) since it seems to be somewhat separate from the src trunk (isn't it?) and I hoped to remain mainstream. At first glance, it seems attractive ... > To me, it sounds like he wants to turn the FBSD box into a VLAN > aggregator, and then "trunk" the VLANs to an external router to route > between the VLAN subnets. > > If this is the case, then the default route that points to the > 'external' router would need to be applied on the devices within each > VLAN subnet, not on the VLAN aggregator device(s) themselves. > > Do I understand what you are trying to do correctly? The idea was to set up a server which behaves as if it was a set of servers with different tasks offering different services with different access rights etc. Think of it as a farm of physical servers some of which are virtualised on a single box, typical virtualisation task, I think. The key point I want to achieve is a good separation of the networks and control packet interchange via a physically separate device (which also is a FreeBSD box btw). The Ethernet trunk goes into a switch and from there on to the router. So yes, that's the setup currently. But I may mention that the vlans extend to other holes on the switch, and I definitely want to avoid packets sneaking past the router if at all possible. To cut a long story short, I this would expect vimage to be a solution at my server end, provided that (I can get it built and) I can tie several jail instances to a given vlan interface (representing several servers) and be sure that the packets are only seen there (and not on other vlan ifs). I'll give it a closer look than I did so far asap, so thanks. All the best, Peter. -- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090414190552.298990>