From owner-freebsd-net@FreeBSD.ORG Tue Apr 14 19:05:58 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0684E106564A for ; Tue, 14 Apr 2009 19:05:58 +0000 (UTC) (envelope-from pcc@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 6204C8FC15 for ; Tue, 14 Apr 2009 19:05:57 +0000 (UTC) (envelope-from pcc@gmx.net) Received: (qmail 9043 invoked by uid 0); 14 Apr 2009 19:05:52 -0000 Received: from 84.163.201.44 by www068.gmx.net with HTTP; Tue, 14 Apr 2009 21:05:52 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Tue, 14 Apr 2009 21:05:52 +0200 From: "Peter Cornelius" In-Reply-To: <49E48799.1000300@ibctech.ca> Message-ID: <20090414190552.298990@gmx.net> MIME-Version: 1.0 References: <20090413135402.78610@gmx.net> <20090413.220932.74699777.sthaug@nethelp.no> <49E41755.8050701@elischer.org> <49E48799.1000300@ibctech.ca> To: Steve Bertrand , julian@elischer.org X-Authenticated: #491680 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1+X9S5ar0OXpb9GoU4k3UEJLnZVD/31os6DoZY7vV 80EG+YkdlO+M0S/oisoWZk+xB5xJG6ui9a0w== Content-Transfer-Encoding: 8bit X-GMX-UID: qOnRfb4zTiE+T9PhYGRwcoh9ZUVSRFe3 X-FuHaFi: 0.63 Cc: freebsd-net@freebsd.org, sthaug@nethelp.no Subject: Re: Multiple default routes / Force external routing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 19:05:58 -0000 Re... Thanks for the numerous responses, first time I feel like home :) > >>> I have set up a box with various vlan interfaces on it. I naively > >>> expected to be able to set individual "default" routes and route > >>> between them via an *external* router (and filter packets there etc.) > >>> but somehow all packets seem to "short-circuit" locally, and I don't > >>> seem to be able to see why this is so and how I prevent that. > > > > I think you are rather confused about what Multiple FIBs is.. > > All it is is teh ability to make a packet use a particular > > FIB on it's outgoing path. There is not such thing as an interface > > being "In" a FIB. All interfaces are still visible to the routing code > > by default, and The IP stack still knows about them.I think the IP > > stack set's the 'loopback' flag on a packet regardless of the FIB > > selected if teh dest is one of its own addresses. Yup, that is roughly what I expected to hear from what I observed. Took a while to get there mentally though, sorry... > > What you want is VIMAGE. I haven't fiddled with that (yet) since it seems to be somewhat separate from the src trunk (isn't it?) and I hoped to remain mainstream. At first glance, it seems attractive ... > To me, it sounds like he wants to turn the FBSD box into a VLAN > aggregator, and then "trunk" the VLANs to an external router to route > between the VLAN subnets. > > If this is the case, then the default route that points to the > 'external' router would need to be applied on the devices within each > VLAN subnet, not on the VLAN aggregator device(s) themselves. > > Do I understand what you are trying to do correctly? The idea was to set up a server which behaves as if it was a set of servers with different tasks offering different services with different access rights etc. Think of it as a farm of physical servers some of which are virtualised on a single box, typical virtualisation task, I think. The key point I want to achieve is a good separation of the networks and control packet interchange via a physically separate device (which also is a FreeBSD box btw). The Ethernet trunk goes into a switch and from there on to the router. So yes, that's the setup currently. But I may mention that the vlans extend to other holes on the switch, and I definitely want to avoid packets sneaking past the router if at all possible. To cut a long story short, I this would expect vimage to be a solution at my server end, provided that (I can get it built and) I can tie several jail instances to a given vlan interface (representing several servers) and be sure that the packets are only seen there (and not on other vlan ifs). I'll give it a closer look than I did so far asap, so thanks. All the best, Peter. -- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a