From owner-freebsd-current@freebsd.org Sun Jul 2 11:40:11 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3111DA3B10 for ; Sun, 2 Jul 2017 11:40:11 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4622D642C2 for ; Sun, 2 Jul 2017 11:40:10 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from hermann ([78.55.123.4]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0M54s2-1de3DB0XM6-00zG4o for ; Sun, 02 Jul 2017 13:40:03 +0200 Date: Sun, 2 Jul 2017 13:40:01 +0200 From: "Hartmann, O." To: FreeBSD CURRENT Subject: static routes on VLAN on CURRENT Message-ID: <20170702133957.1f337a2e@hermann> Organization: walstatt.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K0:Nvp+ZONf3lqessVYKT04kT5SL3ATYQQqMavWiUZsoMDxk0AOtfr u/pxsPXsBYAOYo3DFnEaRgv4cReKT0AC0zVSWt6gG29e/Z1oCqWFt2DsaDno5Qng/CagMNL AsnuD/8WPxtQqHxYNeiAmsmc8txjawg560NI4L3kV0TbLdmUt3be//yxJCJO8Jssyj6Uoh5 NDHAEbWIfNl51YNqHS0Qw== X-UI-Out-Filterresults: notjunk:1;V01:K0:tXr4WZ7vlfU=:wG82ppMJod9qqJ2Fg42+k4 yyTT4OcSWGHxp+QA7svozmT9Y5GD7yZKv98ob5xWOsQIAQQLiXgxwDHRUBghTGTb4d/5k3qmN TNrsQMdIv61r4ldGe21fpRWUsd0D22Z4mGdNniWIPTJivU6E2lDJ5DaXXU7Cmag5pi30cscFX npKj1YDqeFVSAVqvpu/mjyfxA27wUFN3nEkqbKJgpSbbC2W+qVfeKv6Cs4FyoS+ruDwlorFED Up2aB2jGX9tmenIYxdR1ugWKCQrQFIDWWLQEnqqSET8q/z/h5Mb2YTxxq50BbW86kysIhlQXQ ny7y90gJVeOrN4Y7IUaWOqrxADF1YxRqeXdvYzR/8Ni8DhQuO4yNG70IcjyN7yYcoum627mjc lt36EewRgcgHT31xXELM0Z5RM5LxP3WS5RgBm7D6ESfpSG5fhuriBCdsEivG/zBLaqQ4vHLcq bpnmRW94/q+01M5xhskfQFZDjgqzLfv0kqE0tWr9JzPP0fejbMPD4Ll7J+a5C01HAc0eC6v+1 EFNIY9EQR0zLW3vGy00Yj3AVg5wnCrp9dR12kymxMVI0bnSbyGix7GiarJTlVn45DNndA9SP0 7ekzS5oqrgesj3F/mf8YyqQmwpZYgLsTxqk1iAgCYD2bnSpxc9FGm0ldpgpBXbpD0P02kEE9X +AUoYd56Y5yp/7JEdHFDPi8hj8Cn7e4FBa5tWOFjPXXTx4cveKICOTKvzig1yEPkLF1xsdXru 2y9kYRMwfBO7BiFQiPNF8dPpaSKp7bAZoNccBd0uJA2uDj3WowUNI7NjWHL+RdCH8gA2u3I5K afzQbVs X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jul 2017 11:40:11 -0000 Fiddling around with a self-brewn router/firewall based on 12-CURRENT and ipfw, I run into problems when setting up a trunk port with different VLANs and static routes. The "router" has three NICs, igb0, igb1, igb2 (it is de facto an APU 2C4 from PCengines). igb0 is attached to an external VDSL2+ Modem and not connected at the moment. igb2 is also not connected yet. igb1 bears several VLANs: 2, 10, 100 (igb1.2, igb1.10 ...) and the "native", untagged LAN (on igb1). There is no default route set, but even with the ISP's network active and igb0/tun0, via ppp configuration, with tun0 attached to the address obtained by the ISP and set as default route, the problem I try to describe persists and is the same with or without the default route. On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the main goal). The interface is attached with the IP 192.168.2.1. The NIX is attached to a VLAN capable switch and VLAN 2 is for VoIP telephones. To not use a routing daemon due to the small size of my network, I desided to use static routes, in rc.conf I placed the following variables: static_routes=3D"igb1.2 igb1.10" route_igb1_2=3D"-net 192.168.2.0/24 -interface igb1.2" route_igb1_10=3D"-net 192.168.10.0/24 -interface igb1.10" igb1 is assigned to IP/NET 192.168.0.1/24 netstat -Warn gives me (as dummy, since I have no direct access to the box via serial console from the system I write this mail): Internet: Destination Gateway Flags Use Mtu Netif 127.0.0.1 link#3 UH 334564 16384 lo0 192.168.0.0/24 link#4 U 23452 1500 igb1=20 192.168.0.1 link#4 UHS 29734 16384 lo0 192.168.2.0/24 link#5 U 271 1500 igb1.2=20 192.168.2.1 link#5 UHS 0 16384 lo0 For readability, the Expire column has been avoided. Since I use some tuning and security advisories for advanced settings, for the tests they were disabled or reset to FreeBSD's defaults, i.e. blackhole etc. gateway_enable=3D"YES" is set, I checked the sysctl also. Further, icmp_drop_redirect=3D"NO" and "net.inet.ip.forwarding=3D0". I followed basically chapter 30.2 "Gateways and routes" of the recent handbook in addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's. =46rom the routing device itself, it is possible to ssh into a VoIP client attached to the switch to which igb1.2 trunks the net. Pinging is also possible. Attached to igb1 is the 192.168.0.1/24 network with a bunch of hosts. =46rom any host within this network it is possible to ping the 192.168.2.0/24 network and its hosts within, but no SSH, not web (80, 443).=20 Since my IPFW setup is a catastrophy, I switched it off (ipfw firewall disable) in combination with setting "net.inte.ip.fw.default_to_accept=3D1". So, this should ensure that anything is passed the ipfw. But the result is still the same. What am I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even possible? My knowledge about routing is limited. The handbook covers the most simplest examples and from the perspective of the simple examples, VLAN static routing should be very similar - regarding to chapter 30.2, and the example of multiple (two) routers separating the network, the router with multiple "NICs/VLANs" is very much the same except the fact that in the example shown in 30.2 the routing devices do have two NICs while in my case there is only one "backend" to all NICs. What is wrong in my logic? Thanks for your patience, kind regards Oliver