From owner-freebsd-current@freebsd.org Sun Jul 2 12:44:56 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71AB9DA537D for ; Sun, 2 Jul 2017 12:44:56 +0000 (UTC) (envelope-from freebsd-current@dino.sk) Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E082A660B2 for ; Sun, 2 Jul 2017 12:44:54 +0000 (UTC) (envelope-from freebsd-current@dino.sk) Received: from zeta.dino.sk (fw3.dino.sk [84.245.95.254]) (AUTH: LOGIN milan) by mailhost.netlabit.sk with ESMTPA; Sun, 02 Jul 2017 14:39:42 +0200 id 00F4C773.5958E98E.0000FB86 Date: Sun, 2 Jul 2017 14:39:34 +0200 From: Milan Obuch To: ohartmann@walstatt.org Cc: freebsd-current@freebsd.org Subject: Re: static routes on VLAN on CURRENT Message-ID: <20170702143934.2bbcc98a@zeta.dino.sk> In-Reply-To: <20170702133957.1f337a2e@hermann> References: <20170702133957.1f337a2e@hermann> X-Mailer: Claws Mail 3.15.0 (GTK+ 2.24.31; i386-portbld-freebsd10.3) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jul 2017 12:44:56 -0000 On Sun, 2 Jul 2017 13:40:01 +0200 "Hartmann, O." wrote: [ snip ] > On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the main > goal). The interface is attached with the IP 192.168.2.1. The NIX is > attached to a VLAN capable switch and VLAN 2 is for VoIP telephones. >=20 > To not use a routing daemon due to the small size of my network, I > desided to use static routes, in rc.conf I placed the following > variables: >=20 > static_routes=3D"igb1.2 igb1.10" > route_igb1_2=3D"-net 192.168.2.0/24 -interface igb1.2" > route_igb1_10=3D"-net 192.168.10.0/24 -interface igb1.10" >=20 > igb1 is assigned to IP/NET 192.168.0.1/24 >=20 > netstat -Warn gives me (as dummy, since I have no direct access to the > box via serial console from the system I write this mail): >=20 > Internet: > Destination Gateway Flags Use Mtu Netif > 127.0.0.1 link#3 UH 334564 16384 lo0 > 192.168.0.0/24 link#4 U 23452 1500 igb1=20 > 192.168.0.1 link#4 UHS 29734 16384 lo0 > 192.168.2.0/24 link#5 U 271 1500 igb1.2=20 > 192.168.2.1 link#5 UHS 0 16384 lo0 > I think you did not include network 192.168.10.0/24 on igb1.10... > For readability, the Expire column has been avoided. >=20 > Since I use some tuning and security advisories for advanced settings, > for the tests they were disabled or reset to FreeBSD's defaults, i.e. > blackhole etc. >=20 > gateway_enable=3D"YES" is set, I checked the sysctl also. Further, > icmp_drop_redirect=3D"NO" and "net.inet.ip.forwarding=3D0". I followed > basically chapter 30.2 "Gateways and routes" of the recent handbook in > addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's. > This is kind of contradiction here - if you have line gateway_enable=3D"YES" in /etc/rc.conf, then you should have set net.inet.ip.forwarding=3D1 after system boot. If you edited /etc/rc.conf, setting will be activated after reboot. > From the routing device itself, it is possible to ssh into a VoIP > client attached to the switch to which igb1.2 trunks the net. Pinging > is also possible. >=20 > Attached to igb1 is the 192.168.0.1/24 network with a bunch of hosts. > From any host within this network it is possible to ping the > 192.168.2.0/24 network and its hosts within, but no SSH, not web (80, > 443).=20 > Weird - if icmp (ping) works and tcp (web, ssh) not, something is filtering traffic. But with net.inet.ip.forwarding=3D0, even pinging host should not work. Try tcpdump to see what's going on.=20 > Since my IPFW setup is a catastrophy, I switched it off (ipfw firewall > disable) in combination with setting > "net.inte.ip.fw.default_to_accept=3D1". So, this should ensure that > anything is passed the ipfw. But the result is still the same. What am > I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even > possible? > =46rom network architecture view, there is no difference - vlan is network interface just like physical ethernet. Basically everything is the same (sometimes there is issue with mtu, but this hardware dependent). Regards, Milan