From owner-freebsd-net@FreeBSD.ORG Wed Feb 17 22:10:17 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5F181065679 for ; Wed, 17 Feb 2010 22:10:17 +0000 (UTC) (envelope-from chris@chrullrich.net) Received: from chrullrich.net (v29774.1blu.de [88.84.143.174]) by mx1.freebsd.org (Postfix) with ESMTP id 7D8EC8FC0A for ; Wed, 17 Feb 2010 22:10:17 +0000 (UTC) Received: from [84.166.42.170] (helo=[192.168.2.4]) by chrullrich.net with esmtpa (Exim 4.69) (envelope-from ) id 1Nhrem-0006OD-A9 for freebsd-net@freebsd.org; Wed, 17 Feb 2010 22:42:05 +0100 Message-ID: <4B7C62AF.6000904@chrullrich.net> Date: Wed, 17 Feb 2010 22:42:07 +0100 From: Christian Ullrich User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Routing into overlapping subnets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2010 22:10:17 -0000 Hello all, I'm having a routing problem I can't wrap my head around. Consider this situation: I want to provide some common resources (printers etc.) to a number of clients in separate networks. They each have their own physical network, and these networks are supposed to stay isolated, with the exception of what I'm trying to set up. I have no control over the IP addressing used by the clients, except that it's all RFC1918, but as far as I know, they are all using the same addresses. What I thought would work was this: On a central switch, set up one VLAN per client network and ensure that the switch only forwards between the port assigned to the client and one (trunk) port where I put my router. On the router, create the required VLAN interfaces and put the "public" addresses for my printers on them (one in each RFC1918 net, but the same on each VLAN), then use pf to NAT the destination for packets coming in on each VLAN to the actual printers, and use "reply-to" to make sure the responses go out through the same interface. Now I'm stuck. With one client, that works fine, but when I add another one (different interface, same client address), the packets are dropped and dmesg shows lots of "arpresolve: can't allocate llinfo for (client address)". I suppose that's because there is already an ARP entry for that IP address, and the kernel cannot add another one. If that's true, here's what I don't understand: When the time comes to resolve IP addresses to hardware addresses, the kernel has already routed the packet to an outgoing interface, so it should be enough to consider the ARP entries associated with that interface to know where to send the packet. Why doesn't the kernel look up an ARP table entry by both IP address and interface? Is there anything I can do to make this work? It's not an everyday setup, I know, but I'd really like to make it work. Thanks for any help. -- Christian