On Sun, 2 Jul 2017 14:39:34 +0200 Milan Obuch <freebsd-current_at_dino.sk> wrote: > On Sun, 2 Jul 2017 13:40:01 +0200 > "Hartmann, O." <ohartmann_at_walstatt.org> wrote: > > [ snip ] > > > On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the > > main goal). The interface is attached with the IP 192.168.2.1. The > > NIX is attached to a VLAN capable switch and VLAN 2 is for VoIP > > telephones. > > > > To not use a routing daemon due to the small size of my network, I > > desided to use static routes, in rc.conf I placed the following > > variables: > > > > static_routes="igb1.2 igb1.10" > > route_igb1_2="-net 192.168.2.0/24 -interface igb1.2" > > route_igb1_10="-net 192.168.10.0/24 -interface igb1.10" > > > > igb1 is assigned to IP/NET 192.168.0.1/24 > > > > netstat -Warn gives me (as dummy, since I have no direct access to > > the box via serial console from the system I write this mail): > > > > Internet: > > Destination Gateway Flags Use Mtu Netif > > 127.0.0.1 link#3 UH 334564 16384 lo0 > > 192.168.0.0/24 link#4 U 23452 1500 igb1 > > 192.168.0.1 link#4 UHS 29734 16384 lo0 > > 192.168.2.0/24 link#5 U 271 1500 > > igb1.2 192.168.2.1 link#5 UHS 0 > > 16384 lo0 > > I think you did not include network 192.168.10.0/24 on igb1.10... I skipped that, it is quite the same according to the settings of the others and unused for now. So it doesn't matter. But you're right. > > > For readability, the Expire column has been avoided. > > > > Since I use some tuning and security advisories for advanced > > settings, for the tests they were disabled or reset to FreeBSD's > > defaults, i.e. blackhole etc. > > > > gateway_enable="YES" is set, I checked the sysctl also. Further, > > icmp_drop_redirect="NO" and "net.inet.ip.forwarding=0". I followed > > basically chapter 30.2 "Gateways and routes" of the recent handbook > > in addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's. > > > > This is kind of contradiction here - if you have line > > gateway_enable="YES" > > in /etc/rc.conf, then you should have set > > net.inet.ip.forwarding=1 > > after system boot. If you edited /etc/rc.conf, setting will be > activated after reboot. It is and it has alwyas been - I confused it with net.inet.ip.redirect=0 > > > From the routing device itself, it is possible to ssh into a VoIP > > client attached to the switch to which igb1.2 trunks the net. > > Pinging is also possible. > > > > Attached to igb1 is the 192.168.0.1/24 network with a bunch of > > hosts. From any host within this network it is possible to ping the > > 192.168.2.0/24 network and its hosts within, but no SSH, not web > > (80, 443). > > > > Weird - if icmp (ping) works and tcp (web, ssh) not, something is > filtering traffic. But with net.inet.ip.forwarding=0, even pinging > host should not work. Try tcpdump to see what's going on. net.inet.ip.forwarding works as expected. See above, I confused the OID. > > > Since my IPFW setup is a catastrophy, I switched it off (ipfw > > firewall disable) in combination with setting > > "net.inte.ip.fw.default_to_accept=1". So, this should ensure that > > anything is passed the ipfw. But the result is still the same. What > > am I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even > > possible? > > > > From network architecture view, there is no difference - vlan is > network interface just like physical ethernet. Basically everything is > the same (sometimes there is issue with mtu, but this hardware > dependent). Yes, so I thought, but as you stated, something is filtering and I have no clue what. > > Regards, > > Milan Kind regards, OliverReceived on Sun Jul 02 2017 - 16:13:55 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:12 UTC