Date: Sun, 2 Jul 2017 14:39:34 +0200 From: Milan Obuch <freebsd-current@dino.sk> To: ohartmann@walstatt.org Cc: freebsd-current@freebsd.org Subject: Re: static routes on VLAN on CURRENT Message-ID: <20170702143934.2bbcc98a@zeta.dino.sk> In-Reply-To: <20170702133957.1f337a2e@hermann> References: <20170702133957.1f337a2e@hermann>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Jul 2017 13:40:01 +0200 "Hartmann, O." <ohartmann@walstatt.org> wrote: [ snip ] > On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the main > goal). The interface is attached with the IP 192.168.2.1. The NIX is > attached to a VLAN capable switch and VLAN 2 is for VoIP telephones. >=20 > To not use a routing daemon due to the small size of my network, I > desided to use static routes, in rc.conf I placed the following > variables: >=20 > static_routes=3D"igb1.2 igb1.10" > route_igb1_2=3D"-net 192.168.2.0/24 -interface igb1.2" > route_igb1_10=3D"-net 192.168.10.0/24 -interface igb1.10" >=20 > igb1 is assigned to IP/NET 192.168.0.1/24 >=20 > netstat -Warn gives me (as dummy, since I have no direct access to the > box via serial console from the system I write this mail): >=20 > Internet: > Destination Gateway Flags Use Mtu Netif > 127.0.0.1 link#3 UH 334564 16384 lo0 > 192.168.0.0/24 link#4 U 23452 1500 igb1=20 > 192.168.0.1 link#4 UHS 29734 16384 lo0 > 192.168.2.0/24 link#5 U 271 1500 igb1.2=20 > 192.168.2.1 link#5 UHS 0 16384 lo0 > I think you did not include network 192.168.10.0/24 on igb1.10... > For readability, the Expire column has been avoided. >=20 > Since I use some tuning and security advisories for advanced settings, > for the tests they were disabled or reset to FreeBSD's defaults, i.e. > blackhole etc. >=20 > gateway_enable=3D"YES" is set, I checked the sysctl also. Further, > icmp_drop_redirect=3D"NO" and "net.inet.ip.forwarding=3D0". I followed > basically chapter 30.2 "Gateways and routes" of the recent handbook in > addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's. > This is kind of contradiction here - if you have line gateway_enable=3D"YES" in /etc/rc.conf, then you should have set net.inet.ip.forwarding=3D1 after system boot. If you edited /etc/rc.conf, setting will be activated after reboot. > From the routing device itself, it is possible to ssh into a VoIP > client attached to the switch to which igb1.2 trunks the net. Pinging > is also possible. >=20 > Attached to igb1 is the 192.168.0.1/24 network with a bunch of hosts. > From any host within this network it is possible to ping the > 192.168.2.0/24 network and its hosts within, but no SSH, not web (80, > 443).=20 > Weird - if icmp (ping) works and tcp (web, ssh) not, something is filtering traffic. But with net.inet.ip.forwarding=3D0, even pinging host should not work. Try tcpdump to see what's going on.=20 > Since my IPFW setup is a catastrophy, I switched it off (ipfw firewall > disable) in combination with setting > "net.inte.ip.fw.default_to_accept=3D1". So, this should ensure that > anything is passed the ipfw. But the result is still the same. What am > I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even > possible? > =46rom network architecture view, there is no difference - vlan is network interface just like physical ethernet. Basically everything is the same (sometimes there is issue with mtu, but this hardware dependent). Regards, Milan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170702143934.2bbcc98a>