static routes on VLAN on CURRENT

Milan Obuch freebsd-current at dino.sk
Sun Jul 2 12:44:56 UTC 2017 

On Sun, 2 Jul 2017 13:40:01 +0200
"Hartmann, O." <ohartmann at walstatt.org> wrote:

[ snip ]

> On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the main
> goal). The interface is attached with the IP 192.168.2.1. The NIX is
> attached to a VLAN capable switch and VLAN 2 is for VoIP telephones.
> 
> To not use a routing daemon due to the small size of my network, I
> desided to use static routes, in rc.conf I placed the following
> variables:
> 
> static_routes="igb1.2 igb1.10"
> route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
> route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"
> 
> igb1 is assigned to IP/NET 192.168.0.1/24
> 
> netstat -Warn gives me (as dummy, since I have no direct access to the
> box via serial console from the system I write this mail):
> 
> Internet:
> Destination      Gateway         Flags       Use    Mtu      Netif
> 127.0.0.1        link#3          UH       334564  16384        lo0
> 192.168.0.0/24   link#4          U         23452   1500       igb1 
> 192.168.0.1      link#4          UHS       29734  16384        lo0
> 192.168.2.0/24   link#5          U           271   1500       igb1.2 
> 192.168.2.1      link#5          UHS           0  16384        lo0
>

I think you did not include network 192.168.10.0/24 on igb1.10...

> For readability, the Expire column has been avoided.
> 
> Since I use some tuning and security advisories for advanced settings,
> for the tests they were disabled or reset to FreeBSD's defaults, i.e.
> blackhole etc.
> 
> gateway_enable="YES" is set, I checked the sysctl also. Further,
> icmp_drop_redirect="NO" and "net.inet.ip.forwarding=0". I followed
> basically chapter 30.2 "Gateways and routes" of the recent handbook in
> addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's.
>

This is kind of contradiction here - if you have line

gateway_enable="YES"

in /etc/rc.conf, then you should have set

net.inet.ip.forwarding=1

after system boot. If you edited /etc/rc.conf, setting will be
activated after reboot.

> From the routing device itself, it is possible to ssh into a VoIP
> client attached to the switch to which igb1.2 trunks the net. Pinging
> is also possible.
> 
> Attached to igb1 is the 192.168.0.1/24 network with a bunch of hosts.
> From any host within this network it is possible to ping the
> 192.168.2.0/24 network and its hosts within, but no SSH, not web (80,
> 443). 
>

Weird - if icmp (ping) works and tcp (web, ssh) not, something is
filtering traffic. But with net.inet.ip.forwarding=0, even pinging host
should not work. Try tcpdump to see what's going on. 

> Since my IPFW setup is a catastrophy, I switched it off (ipfw firewall
> disable) in combination with setting
> "net.inte.ip.fw.default_to_accept=1". So, this should ensure that
> anything is passed the ipfw. But the result is still the same. What am
> I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even
> possible?
>

From network architecture view, there is no difference - vlan is
network interface just like physical ethernet. Basically everything is
the same (sometimes there is issue with mtu, but this hardware
dependent).

Regards,

Milan

More information about the freebsd-current mailing list