From owner-freebsd-net@FreeBSD.ORG  Wed May  3 08:08:38 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 27FDE16A400
	for <freebsd-net@freebsd.org>; Wed,  3 May 2006 08:08:38 +0000 (UTC)
	(envelope-from babolo@cicuta.babolo.ru)
Received: from ints.mail.pike.ru (ints.mail.pike.ru [85.30.199.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 735DD43D45
	for <freebsd-net@freebsd.org>; Wed,  3 May 2006 08:08:37 +0000 (GMT)
	(envelope-from babolo@cicuta.babolo.ru)
Received: (qmail 68882 invoked from network); 3 May 2006 08:08:35 -0000
Received: from cicuta.babolo.ru (85.30.224.245)
	by ints.mail.pike.ru with SMTP; 3 May 2006 08:08:35 -0000
Received: (nullmailer pid 80587 invoked by uid 136);
	Wed, 03 May 2006 08:16:58 -0000
X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1
In-Reply-To: <44565E41.2080905@netvulture.com>
To: Jonathan Feally <vulture@netvulture.com>
Date: Wed, 3 May 2006 12:16:58 +0400 (MSD)
From: .@babolo.ru
X-Mailer: ELM [version 2.4ME+ PL99b (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-Id: <1146644218.976446.80586.nullmailer@cicuta.babolo.ru>
Cc: freebsd-net@freebsd.org
Subject: Re: Having a problem with getting ipfw fwd to work with vlans and
 bge - 6.1-RC1 amd64
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2006 08:08:38 -0000

[ Charset ISO-8859-1 unsupported, converting... ]
> Hello,
> I have setup a new firewall and I'm having trouble with it. Perhaps the 
> bge is to blame, perhaps its something else.
> I'll explain my setup, problem and the workaround to get it going.
> 
> Box connects to 2 Internal Lans and 2 External Wans.
> 
> Vlans are mixed untagged and tagged on a single bge0
> 
> Vlan   Network             Desc
> 1      10.255.1.0/24       Admin Lan - No Vlan Tagging
> 2      10.255.2.0/24       VoIP Lan
> 900    67.xxx.xxx.128/27   Internet A - Default Route - Going to be pure 
> VoIP only - thus 10.255.2 boxes get 1:1 NAT to 67.xxx.xxx
> 902    208.xxx.xxx.48/28   Internet B - Web Services
> 
> 1st problem I ran into was pings from vlan 2 through natd to vlan 900 
> were not coming back. I could see the packet enter vlan2 - leave and 
> return on vlan900 - but go nowhere. I tried a tcpdump on bge0 and the 
> pings started coming back. Leading me to putting promisc on my ifconfig bge0
> 
> Now I'm trying to setup up a simple web server on an IP from vlan 902 in 
> combination with fwd rule # 999 to route packets from a vlan902 address 
> back to the router on that internet connection. I try to ping from the 
> outside and can see the icmp echo request. But the replies keep getting 
> sent out vlan900 to the other internet router.
> 
> Hopefully somebody can point me in the right direction. If its the bge, 
> then I can replace it with some em. If its an issue with mixing native 
> vlan and tagged, I can tag everything, If its not me, then who can help 
> getting the code fixed?
> 
> I have put my ifconfig, ipfw rules and natd.conf's below.
Don't know about FreeBSD 6, in FreeBSD 4 you need mtu = 1504
for mtu = 1500 on vlans to work.

This is reason not to use mix tagged/utagged on one bge.

> Thanks -Jon
> 
> ---------------------------------------------------------
> 
> [root@t3031fw ~]# ifconfig -a
> bge0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> mtu 1500
>         options=18<VLAN_MTU,VLAN_HWTAGGING>
>         inet6 fe80::215:f2ff:fed0:d898%bge0 prefixlen 64 scopeid 0x1
>         inet 10.255.1.254 netmask 0xffffff00 broadcast 10.255.1.255
>         ether 00:15:f2:d0:d8:98
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
>         options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
>         ether 00:15:f2:40:d8:35
>         media: Ethernet autoselect (none)
>         status: no carrier
> plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet6 ::1 prefixlen 128
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>         inet 127.0.0.1 netmask 0xff000000
> vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet6 fe80::215:f2ff:fed0:d898%vlan2 prefixlen 64 scopeid 0x5
>         inet 10.255.2.1 netmask 0xffffff00 broadcast 10.255.2.255
>         ether 00:15:f2:d0:d8:98
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>         vlan: 2 parent interface: bge0
> vlan900: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
...
>         ether 00:15:f2:d0:d8:98
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>         vlan: 900 parent interface: bge0
> vlan902: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet6 fe80::215:f2ff:fed0:d898%vlan902 prefixlen 64 scopeid 0x7
...
>         ether 00:15:f2:d0:d8:98
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
>         vlan: 902 parent interface: bge0