From owner-freebsd-current@freebsd.org Sun Jul 2 18:13:55 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9AE83DAA72B for ; Sun, 2 Jul 2017 18:13:55 +0000 (UTC) (envelope-from o.hartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1611972739 for ; Sun, 2 Jul 2017 18:13:54 +0000 (UTC) (envelope-from o.hartmann@walstatt.org) Received: from hermann ([78.55.123.4]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LnxxQ-1duSPv1cng-00fvyG; Sun, 02 Jul 2017 20:13:51 +0200 Date: Sun, 2 Jul 2017 20:13:49 +0200 From: "Hartmann, O." To: Milan Obuch Cc: ohartmann@walstatt.org, freebsd-current@freebsd.org Subject: Re: static routes on VLAN on CURRENT Message-ID: <20170702201344.274eb23d@hermann> In-Reply-To: <20170702143934.2bbcc98a@zeta.dino.sk> References: <20170702133957.1f337a2e@hermann> <20170702143934.2bbcc98a@zeta.dino.sk> Organization: walstatt.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:SUzsbMoxvTDdndsjnrDxBrdW3NyB1HX3u0j5T93W6GJGxQQsrIf bBPUlvBlbZ77AAqjC9XykemLtlKo+Si5XRPQJ5S0uHJU2k80DzP52SZbmoXGHhsRDAFRCwD KIQh8ScuGnp7p1wSTBQ95DWXNuWCs5htpm597B19lYnSO9HmhOzPDEXCod7lH185t/9384/ Q7miI7ssIeTWF8GTeROFQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:AF22TvrKDnU=:q6UyHSJV3JVwdVlcZZfYSb 5N9JeqQMl8mkOQoRLSm8KAnTvy+aa13dIj+YgZdUzeorODfEn5TEEUPyZaw2yCZynClsm1ovY Wmh3L8fs7F1XRSyItB02duLDw7f87Lbx2BNeajW/WZIj+ZXvb7eXXOd3k4LBZMBFjqm1S4hN0 k3P0Po5GGgKKOCl4AZ3GJY03gyIR9Knj0zIwFR9sDj4KjH/gYIiJEPMTTPPcx1cwQhBe8udHC 2b6+Ja2IFQ/vAUeoj8qLVSH2hYdAHjDawLjpbm0DcC0/jWUry2VnLibScVCfwOCNZxjRPq5YC jOx7Njv5Ggs4DhBAtc6vrMaVvXhcLnwFOdnZZGFw0cNyaSgmxPsbhTPFJHzHg0lAh/aDHVCmi JBy4TqYQv9ia/Jn/x3cLFSeWdNW/6nl7rB8XnV4PKCWAq0RhVktXwMNCH8By2BlIvjJRO9c6l 7IP+84jokulwOIzfWz1itx40gmhLTXkzMH1+HretxOvS6iadNLiZK/Nk/9lW0+3FDKU+fe1gX 2TtRhdBNY8KTk7fIA6CSvCSRXmaYdLcFzRF4MbvRfo2tGZ9PkQKAVrRcmRmQPU/41yBSnI1gn jUHV8RjpovRXqEbaGetKIm9SHRilcv2c/48UU9lZRfV6kvnzXmaoHnyzTOnJKavboHgzBqvGL NoO8PR54CdZS8NRG7unfZE9dQrPy2UnoQUKyDZ7YBNL7mJT2Hehu/n6+fmwMYSwtqtPUJE+Oy sQSgWNDQ+Msf57Sisym978k3E/32J/Fm8FXOKXrzRA7y+AETuntI/3OoQWSb9RcfZPoaLSkPw RxL3F9Z X-Mailman-Approved-At: Mon, 03 Jul 2017 02:30:38 +0000 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jul 2017 18:13:55 -0000 On Sun, 2 Jul 2017 14:39:34 +0200 Milan Obuch wrote: > On Sun, 2 Jul 2017 13:40:01 +0200 > "Hartmann, O." wrote: > > [ snip ] > > > On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the > > main goal). The interface is attached with the IP 192.168.2.1. The > > NIX is attached to a VLAN capable switch and VLAN 2 is for VoIP > > telephones. > > > > To not use a routing daemon due to the small size of my network, I > > desided to use static routes, in rc.conf I placed the following > > variables: > > > > static_routes="igb1.2 igb1.10" > > route_igb1_2="-net 192.168.2.0/24 -interface igb1.2" > > route_igb1_10="-net 192.168.10.0/24 -interface igb1.10" > > > > igb1 is assigned to IP/NET 192.168.0.1/24 > > > > netstat -Warn gives me (as dummy, since I have no direct access to > > the box via serial console from the system I write this mail): > > > > Internet: > > Destination Gateway Flags Use Mtu Netif > > 127.0.0.1 link#3 UH 334564 16384 lo0 > > 192.168.0.0/24 link#4 U 23452 1500 igb1 > > 192.168.0.1 link#4 UHS 29734 16384 lo0 > > 192.168.2.0/24 link#5 U 271 1500 > > igb1.2 192.168.2.1 link#5 UHS 0 > > 16384 lo0 > > I think you did not include network 192.168.10.0/24 on igb1.10... I skipped that, it is quite the same according to the settings of the others and unused for now. So it doesn't matter. But you're right. > > > For readability, the Expire column has been avoided. > > > > Since I use some tuning and security advisories for advanced > > settings, for the tests they were disabled or reset to FreeBSD's > > defaults, i.e. blackhole etc. > > > > gateway_enable="YES" is set, I checked the sysctl also. Further, > > icmp_drop_redirect="NO" and "net.inet.ip.forwarding=0". I followed > > basically chapter 30.2 "Gateways and routes" of the recent handbook > > in addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's. > > > > This is kind of contradiction here - if you have line > > gateway_enable="YES" > > in /etc/rc.conf, then you should have set > > net.inet.ip.forwarding=1 > > after system boot. If you edited /etc/rc.conf, setting will be > activated after reboot. It is and it has alwyas been - I confused it with net.inet.ip.redirect=0 > > > From the routing device itself, it is possible to ssh into a VoIP > > client attached to the switch to which igb1.2 trunks the net. > > Pinging is also possible. > > > > Attached to igb1 is the 192.168.0.1/24 network with a bunch of > > hosts. From any host within this network it is possible to ping the > > 192.168.2.0/24 network and its hosts within, but no SSH, not web > > (80, 443). > > > > Weird - if icmp (ping) works and tcp (web, ssh) not, something is > filtering traffic. But with net.inet.ip.forwarding=0, even pinging > host should not work. Try tcpdump to see what's going on. net.inet.ip.forwarding works as expected. See above, I confused the OID. > > > Since my IPFW setup is a catastrophy, I switched it off (ipfw > > firewall disable) in combination with setting > > "net.inte.ip.fw.default_to_accept=1". So, this should ensure that > > anything is passed the ipfw. But the result is still the same. What > > am I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even > > possible? > > > > From network architecture view, there is no difference - vlan is > network interface just like physical ethernet. Basically everything is > the same (sometimes there is issue with mtu, but this hardware > dependent). Yes, so I thought, but as you stated, something is filtering and I have no clue what. > > Regards, > > Milan Kind regards, Oliver