From owner-freebsd-net@FreeBSD.ORG Fri Aug 20 16:11:23 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74089106575B for ; Fri, 20 Aug 2010 16:11:23 +0000 (UTC) (envelope-from xavier.humbert@groumpf.org) Received: from smtpfb1-g21.free.fr (smtpfb1-g21.free.fr [212.27.42.9]) by mx1.freebsd.org (Postfix) with ESMTP id E98048FC17 for ; Fri, 20 Aug 2010 16:11:21 +0000 (UTC) Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [212.27.42.1]) by smtpfb1-g21.free.fr (Postfix) with ESMTP id 59F5F2D744 for ; Fri, 20 Aug 2010 17:56:07 +0200 (CEST) Received: from valinor.groumpf.org (unknown [82.228.31.93]) by smtp1-g21.free.fr (Postfix) with ESMTP id 957A29400A6 for ; Fri, 20 Aug 2010 17:56:00 +0200 (CEST) Received: by valinor.groumpf.org (Postfix, from userid 1001) id E681D451E6; Fri, 20 Aug 2010 17:57:52 +0200 (CEST) Received: from [192.168.100.11] (enterprise.groumpf.org [192.168.100.11]) by valinor.groumpf.org (Postfix) with ESMTP id 277B245184 for ; Fri, 20 Aug 2010 17:52:50 +0200 (CEST) To: freebsd-net@freebsd.org From: xavier.humbert@groumpf.org (Xavier HUMBERT) Date: Fri, 20 Aug 2010 17:52:50 +0200 Message-ID: <1jnj9gh.1ni0waznzbr5yM%xavier.humbert@groumpf.org> Organization: Tibet Libre User-Agent: MacSOUP/2.8.3 (Mac OS X version 10.6.4 (x86)) Subject: Inter-vlan routing problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Aug 2010 16:11:23 -0000 Hi all, I've got some trouble routing vlans through FreeBSD 8.1-RELEASE. The core backbone of our network is a Nortel 5520-48T-PWR stack, configured L2/L3, with 470-24T-PWR stacks in each building (5 including core), fiber connected. Since the company who built our network is unable to make the L3 routing work, I installed a FreeBSD box, with vlans interfaces. First, the L2/L3 config of the core switch : ------------------------------------------------------------------------ ! ! *** VLAN *** ! vlan configcontrol flexible no auto-pvid vlan name 1 "VLAN #1" vlan create 10 name "Multimedia" type port vlan create 20 name "Arcade" type port vlan create 30 name "Chateau" type port vlan create 100 name "VoIP" type port ! ! *** L3 *** ! no ip directed-broadcast enable ip routing interface vlan 1 ip dhcp-relay min-sec 0 mode bootp_dhcp no ip dhcp-relay broadcast ip dhcp-relay exit interface vlan 10 ip address 172.16.214.252 255.255.255.0 10 ip dhcp-relay min-sec 0 mode bootp_dhcp no ip dhcp-relay broadcast ip dhcp-relay exit interface vlan 20 ip address 192.168.0.5 255.255.255.0 20 ip dhcp-relay min-sec 0 mode bootp_dhcp no ip dhcp-relay broadcast ip dhcp-relay exit interface vlan 30 ip address 10.75.2.5 255.255.255.0 30 ip dhcp-relay min-sec 0 mode bootp_dhcp no ip dhcp-relay broadcast ip dhcp-relay exit interface vlan 100 ip address 10.75.3.5 255.255.255.0 100 ip dhcp-relay min-sec 0 mode bootp_dhcp no ip dhcp-relay broadcast ip dhcp-relay exit ip arp timeout 360 ip dhcp-relay ip blocking-mode none ------------------------------------------------------------------------ Now, the config of my box, and the routing table. Obviously, I connected the bge0 interface to a port on which all vlans are present (there is no such concept as "trunk" on Nortel, in fact this term is used for MLT) ------------------------------------------------------------------------ gateway_enable="YES" default_router="10.75.2.1" cloned_interfaces="vlan0 vlan1 vlan2 vlan3 vlan4" ifconfig_bge0="up" ifconfig_vlan0="inet 192.168.1.251 netmask 255.255.255.0 vlan 1 vlandev bge0" ifconfig_vlan1="inet 172.16.214.251 netmask 255.255.255.0 vlan 10 vlandev bge0" ifconfig_vlan2="inet 192.168.0.251 netmask 255.255.255.0 vlan 20 vlandev bge0" ifconfig_vlan3="inet 10.75.2.251 netmask 255.255.255.0 vlan 30 vlandev bge0" ifconfig_vlan4="inet 10.75.3.251 netmask 255.255.255.0 vlan 100 vlandev bge0" bge0: flags=8843 metric 0 mtu 1500 options=8009b ether 00:e0:81:2d:62:3e media: Ethernet autoselect (1000baseT ) status: active vlan0: flags=8843 metric 0 mtu 1500 description: Admin options=3 ether 00:e0:81:2d:62:3e inet 192.168.1.251 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT ) status: active vlan: 1 parent interface: bge0 vlan1: flags=8843 metric 0 mtu 1500 description: Multimedia options=3 ether 00:e0:81:2d:62:3e inet 172.16.214.251 netmask 0xffffff00 broadcast 172.16.214.255 media: Ethernet autoselect (1000baseT ) status: active vlan: 10 parent interface: bge0 vlan2: flags=8843 metric 0 mtu 1500 description: Arcades options=3 ether 00:e0:81:2d:62:3e inet 192.168.0.251 netmask 0xffffff00 broadcast 192.168.0.255 media: Ethernet autoselect (1000baseT ) status: active vlan: 20 parent interface: bge0 vlan3: flags=8843 metric 0 mtu 1500 description: Chateau options=3 ether 00:e0:81:2d:62:3e inet 10.75.2.251 netmask 0xffffff00 broadcast 10.75.2.255 media: Ethernet autoselect (1000baseT ) status: active vlan: 30 parent interface: bge0 vlan4: flags=8843 metric 0 mtu 1500 description: VoIP options=3 ether 00:e0:81:2d:62:3e inet 10.75.3.251 netmask 0xffffff00 broadcast 10.75.3.255 media: Ethernet autoselect (1000baseT ) status: active vlan: 100 parent interface: bge0 Destination Gateway Flags Refs Use Netif Expire default 10.75.2.1 UGS 0 13742 vlan3 192.168.1.0/24 link#9 U 5 234765 vlan0 172.16.214.0/24 link#10 U 4 395054 vlan1 192.168.0.0/24 link#11 U 1 4659 vlan2 10.75.2.0/24 link#12 U 0 3361 vlan3 10.75.3.0/24 link#13 U 0 2716 vlan4 ------------------------------------------------------------------------ The problem is that, from the gateway itself, I can "see" all devices on all vlans (nmap proves this). But from my station (which is on the vlan #10), I can access on my own vlan, and the default vlan #1. A ping or traceroute to another machine - I tried the defaul_router, which as you can see is on vlan #30 - fails miserably. Tcpdump is not very helpful : ------------------------------------------------------------------------ [xavier@imac-xav ~]$ traceroute 10.75.2.1 traceroute to 10.75.2.1 (10.75.2.1), 64 hops max, 52 byte packets 1 gateway (172.16.214.251) 0.697 ms 0.227 ms 0.245 ms 2 * * * 3 *^C [root@gateway ~]# tcpdump -vv -i vlan3 host 172.16.214.102 tcpdump: listening on vlan3, link-type EN10MB (Ethernet), capture size 96 bytes 10:30:41.140953 IP (tos 0x0, ttl 1, id 50332, offset 0, flags [none], proto UDP (17), length 52, bad cksum 0 (->665a)!) 172.16.214.102.50328 > 10.75.2.1.33438: [udp sum ok] UDP, length 24 10:30:46.141358 IP (tos 0x0, ttl 1, id 50333, offset 0, flags [none], proto UDP (17), length 52, bad cksum 0 (->6659)!) 172.16.214.102.50328 > 10.75.2.1.33439: [udp sum ok] UDP, length 24 ------------------------------------------------------------------------ Is the bad cksum relevant ? Thanks for your patience reading this, and for your hoped helpful advices. Regards, -- XAv In your pomp and all your glory you're a poorer man than me, as you lick the boots of death born out of fear. (Jethro Tull)