Fiddling around with a self-brewn router/firewall based on 12-CURRENT and ipfw, I run into problems when setting up a trunk port with different VLANs and static routes. The "router" has three NICs, igb0, igb1, igb2 (it is de facto an APU 2C4 from PCengines). igb0 is attached to an external VDSL2+ Modem and not connected at the moment. igb2 is also not connected yet. igb1 bears several VLANs: 2, 10, 100 (igb1.2, igb1.10 ...) and the "native", untagged LAN (on igb1). There is no default route set, but even with the ISP's network active and igb0/tun0, via ppp configuration, with tun0 attached to the address obtained by the ISP and set as default route, the problem I try to describe persists and is the same with or without the default route. On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the main goal). The interface is attached with the IP 192.168.2.1. The NIX is attached to a VLAN capable switch and VLAN 2 is for VoIP telephones. To not use a routing daemon due to the small size of my network, I desided to use static routes, in rc.conf I placed the following variables: static_routes="igb1.2 igb1.10" route_igb1_2="-net 192.168.2.0/24 -interface igb1.2" route_igb1_10="-net 192.168.10.0/24 -interface igb1.10" igb1 is assigned to IP/NET 192.168.0.1/24 netstat -Warn gives me (as dummy, since I have no direct access to the box via serial console from the system I write this mail): Internet: Destination Gateway Flags Use Mtu Netif 127.0.0.1 link#3 UH 334564 16384 lo0 192.168.0.0/24 link#4 U 23452 1500 igb1 192.168.0.1 link#4 UHS 29734 16384 lo0 192.168.2.0/24 link#5 U 271 1500 igb1.2 192.168.2.1 link#5 UHS 0 16384 lo0 For readability, the Expire column has been avoided. Since I use some tuning and security advisories for advanced settings, for the tests they were disabled or reset to FreeBSD's defaults, i.e. blackhole etc. gateway_enable="YES" is set, I checked the sysctl also. Further, icmp_drop_redirect="NO" and "net.inet.ip.forwarding=0". I followed basically chapter 30.2 "Gateways and routes" of the recent handbook in addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's. From the routing device itself, it is possible to ssh into a VoIP client attached to the switch to which igb1.2 trunks the net. Pinging is also possible. Attached to igb1 is the 192.168.0.1/24 network with a bunch of hosts. From any host within this network it is possible to ping the 192.168.2.0/24 network and its hosts within, but no SSH, not web (80, 443). Since my IPFW setup is a catastrophy, I switched it off (ipfw firewall disable) in combination with setting "net.inte.ip.fw.default_to_accept=1". So, this should ensure that anything is passed the ipfw. But the result is still the same. What am I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even possible? My knowledge about routing is limited. The handbook covers the most simplest examples and from the perspective of the simple examples, VLAN static routing should be very similar - regarding to chapter 30.2, and the example of multiple (two) routers separating the network, the router with multiple "NICs/VLANs" is very much the same except the fact that in the example shown in 30.2 the routing devices do have two NICs while in my case there is only one "backend" to all NICs. What is wrong in my logic? Thanks for your patience, kind regards OliverReceived on Sun Jul 02 2017 - 09:40:11 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:12 UTC