Re: VLAN configuration problem on 6.1 ("no route to host" on other than own IP)

Mon, 06 Nov 2017 10:05:16 -0800 

On 6.11.2017. 17:47, Andre Ruppert wrote:
> Hello @misc,
> 
> perhaps I'm stupid, but I don't see my fault in a vlan network
> configuration:
> 
> I got a OpenBSD 6.1 gateway box, connected to several switches.
> 
> On em0 I habe to serve two networks:
> 172.16.210.0  (direct em0 - no vlan)
> 172.16.211.0  (VLAN 211 tagged on em0)
> 
> ----------------------------
> 
> On of my connections (em0) has a simple configuration on standard VLAN 1
> (untagged):
> 
> # ifconfig em0
> em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
> mtu 1500
>         lladdr a0:36:9f:36:49:e6
>         description: sbc-ect-lan-ext
>         index 1 priority 0 llprio 3
>         media: Ethernet autoselect (1000baseT full-duplex,master)
>         status: active
>         inet 172.16.210.3 netmask 0xffffff00 broadcast 172.16.210.255
> 
> # cat /etc/hostname.em0
> inet 172.16.210.3 255.255.255.0 172.16.210.255 description
> "sbc-ect-lan-ext"
> 
> ------------------------------
> 
> This interface also is "CARPed":
> 
> # ifconfig carp0
> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         lladdr 00:00:5e:00:01:01
>         index 8 priority 15 llprio 3
>         carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 100
>         groups: carp
>         status: backup
>         inet 172.16.210.1 netmask 0xffffff00 broadcast 172.16.210.255
> 
> # cat /etc/hostname.carp0
> inet 172.16.210.1 255.255.255.0 172.16.210.255 vhid 1 carpdev em0 pass
> xxxxxxxx advskew 100
> 
> (this gateway is the CARP slave (backup) of a pair of redundant gateways)
> 
> -------------------------------
> 
> Next: I want to have a VLAN on this interface em0:
> (the connected switch has a trunk configured this VLAN 210 (untagged)
> and VLAN 211 (tagged) - but I don't know if this information makes sense
> here)
> 
> # ifconfig vlan211
> vlan211: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         lladdr a0:36:9f:36:49:e6
>         index 15 priority 0 llprio 3
>         vlan: 211 parent interface: em0
>         vnetid: 211
>         parent: em0
>         groups: vlan
>         status: active
>         inet 172.16.211.3 netmask 0xffffff00 broadcast 172.16.211.255
> 
> # cat /etc/hostname.vlan211
> inet 172.16.211.3 255.255.255.0 172.16.211.255 vlandev em0
> 
> ----------------------------------
> 
> corresponding routing table (excerpt):
> 
>  # netstat -nr
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio
> Iface
> default            172.16.0.15        UGS        1      191     -     8
> 
> ...
> ...
> 
> 172.16.210/24      172.16.210.3       UCn        1     1094     -     4 em0
> 172.16.210/24      172.16.210.1       Cn         0        0     -    19
> carp0
> 172.16.210.1       00:00:5e:00:01:01  UHLl       0      153     -     1
> carp0
> 172.16.210.3       a0:36:9f:36:49:e6  UHLl       0      275     -     1 em0
> 172.16.210.10      00:08:25:22:50:e0  UHLc       0      158     -     3 em0
> 172.16.210.255     172.16.210.3       UHPb       0        0     -     1 em0
> 172.16.210.255     172.16.210.1       HPb        0        0     -     1
> carp0
> 172.16.211/24      172.16.211.3       UCn        0     1215     -     4
> vlan211
> 172.16.211.3       a0:36:9f:36:49:e6  UHLl       0        0     -     1
> vlan211
> 172.16.211.255     172.16.211.3       UHb        0        0     -     1
> vlan211
> 
> -----------------------------------------
> 
> My problem:
> 
> I am only able to ping myself (VLAN 211)  - end I _don't_ think it's a
> switch problem - because I get an "no route to host" error
> # ping 172.16.211.3 # (my IP)
> PING 172.16.211.3 (172.16.211.3): 56 data bytes
> 64 bytes from 172.16.211.3: icmp_seq=0 ttl=255 time=0.153 ms
> 64 bytes from 172.16.211.3: icmp_seq=1 ttl=255 time=0.080 ms
> ...
> ...stupid but working as expected...
> 
> 
> # ping 172.16.211.2 # some other IP, same network
> PING 172.16.211.2 (172.16.211.2): 56 data bytes
> ping: sendmsg: No route to host
> ping: wrote 172.16.211.2 64 chars, ret=-1
> ping: sendmsg: No route to host
> ping: wrote 172.16.211.2 64 chars, ret=-1
> ping: sendmsg: No route to host
> ...
> 
> 
> The routing table then has added one new entry:
> 
> 172.16.211/24      172.16.211.3       UCn        1     1743     -     4
> vlan211
> 172.16.211.2       link#15            UHLc       0     1684     -     3
> vlan211  !!!!!!!!!
> 172.16.211.3       a0:36:9f:36:49:e6  UHLl       0       18     -     1
> vlan211
> 172.16.211.255     172.16.211.3       UHb        0        0     -     1
> vlan211
> 
> 
> I'm clueless and don't know how to investigate further...
> 
> In my pf.conf I tried to "temporarly annihilate" the rules on the em0
> interface ("set skip on em0"), but that didn't help....
> 
> Any hints?
> 
> head-scratching regards
> 
> Andre Ruppert
> 

i think that in 6.1 vlan config is little different
in man vlan - ifconfig vlan0 parent em0 vnetid 5

if you disable pf with "pfctl -d" can you ping some host in vlan211?
"pfctl -e" enables pf

for carp stuff you should have pf statement like
pass quick proto carp keep state (no-sync)

and you should allow icmp, something like
proto icmp icmp-type { echoreq, unreach code needfrag }

if you tcpdump -ni em0 do you see vid 211 in it's output?

Reply via email to