Think I've found the problem!!
The vlans are created with the same mac as the parent interface. So even
though the rule is being hit, the src mac never changes, so the packet
then leaves the default interface. It sort of makes sense in my mind,
but definatly seems like we are matching packets to interfaces based up
the src mac and dst ip's route. For the ipfw to have any effect we would
have to change the code that is doing the matching of the packets. I
also had to put the vlan into promisc all the time. Going to move back
to bge device tonight during off peak to make sure things are working
with changing the vlan mac's.
-Jon
Jonathan Feally wrote:
Good to know about the mtu, however I'm still having the same problem
with a Pro/1000 em0. I have only tagged vlans running on em0 and the
admin vlan (1) running untagged on bge0. The only 2 networks in play
are 900 and 902. I'm not even working on packets from the lans passing
through yet. Just trying to get my pings from outside to leave on the
corresponding vlans back towards the correct gateway/router. If the
ipfw fwd feature to reroute outgoing packets to a different router is
broken - then this would be considered a show stopper for 6.1-RELEASE
in my mind. I hope Luigi can chime in here with some ideas to try or
debuging that can be done.
Complete Machine Specs.
Asus K8N-LR
Has 2 onboard broadcom nics (bge0 + bge1)
Has Onboard ATI Rage XL Video.
2GB Ram
AMD 4200+ X2
Using onboard NVidia MediaShield Raid w/ 4 250GB Segate Drives. RAID10
Add In Pro/1000 NIC (em0)
Running 6.1-RC/amd64 as of 5/1/06 from cvsup of 6_RELENG
Is there anybody else out there that has used the ipfw fwd feature to
do what I'm doing - and have you tried it on the 6 Branch?
Need some answers soon - Please help!
Thanks, -Jon
[EMAIL PROTECTED] wrote:
[ Charset ISO-8859-1 unsupported, converting... ]
Hello,
I have setup a new firewall and I'm having trouble with it. Perhaps
the bge is to blame, perhaps its something else.
I'll explain my setup, problem and the workaround to get it going.
Box connects to 2 Internal Lans and 2 External Wans.
Vlans are mixed untagged and tagged on a single bge0
Vlan Network Desc
1 10.255.1.0/24 Admin Lan - No Vlan Tagging
2 10.255.2.0/24 VoIP Lan
900 67.xxx.xxx.128/27 Internet A - Default Route - Going to be
pure VoIP only - thus 10.255.2 boxes get 1:1 NAT to 67.xxx.xxx
902 208.xxx.xxx.48/28 Internet B - Web Services
1st problem I ran into was pings from vlan 2 through natd to vlan
900 were not coming back. I could see the packet enter vlan2 - leave
and return on vlan900 - but go nowhere. I tried a tcpdump on bge0
and the pings started coming back. Leading me to putting promisc on
my ifconfig bge0
Now I'm trying to setup up a simple web server on an IP from vlan
902 in combination with fwd rule # 999 to route packets from a
vlan902 address back to the router on that internet connection. I
try to ping from the outside and can see the icmp echo request. But
the replies keep getting sent out vlan900 to the other internet router.
Hopefully somebody can point me in the right direction. If its the
bge, then I can replace it with some em. If its an issue with mixing
native vlan and tagged, I can tag everything, If its not me, then
who can help getting the code fixed?
I have put my ifconfig, ipfw rules and natd.conf's below.
Don't know about FreeBSD 6, in FreeBSD 4 you need mtu = 1504
for mtu = 1500 on vlans to work.
This is reason not to use mix tagged/utagged on one bge.
Thanks -Jon
---------------------------------------------------------
[EMAIL PROTECTED] ~]# ifconfig -a
bge0:
flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC>
mtu 1500
options=18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::215:f2ff:fed0:d898%bge0 prefixlen 64 scopeid 0x1
inet 10.255.1.254 netmask 0xffffff00 broadcast 10.255.1.255
ether 00:15:f2:d0:d8:98
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
ether 00:15:f2:40:d8:35
media: Ethernet autoselect (none)
status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::215:f2ff:fed0:d898%vlan2 prefixlen 64 scopeid 0x5
inet 10.255.2.1 netmask 0xffffff00 broadcast 10.255.2.255
ether 00:15:f2:d0:d8:98
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 2 parent interface: bge0
vlan900: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
...
ether 00:15:f2:d0:d8:98
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 900 parent interface: bge0
vlan902: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::215:f2ff:fed0:d898%vlan902 prefixlen 64 scopeid 0x7
...
ether 00:15:f2:d0:d8:98
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 902 parent interface: bge0
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
