On 14.07.2017 14:42, O. Hartmann wrote: > I use in-kernel NAT. IPFW is performing NAT. In firewall type "OPEN" from the > vanilla rc.conf, IPFW has instance "nat 123" which provides then NAT.
I never used default config types for firewall, so, it would be nice to see what rules do you have. # ipfw show # ipfw nat show config >> VLANs work on the layer2 > According to 1): > > I consider the settings of the switch now as correct. I have no access to the > router right now. But I did short experiments yesterday evening and it is > weird: loged in on thr router, I can ping every host on any VLAN, so ICMP > travel from the router the right way to its destination and back. > > From any host on any VLAN that is "trunked" through the router, I can ping any > other host on any other VLAN, preferrably not on the same VLAN. By cutting off > the trunk line to the router, pinging stops immediately. > > From any host on any VLAN I can ping any host which is NATed on the outside > world. > > From the router itself, I can ssh into any host on any VLAN providing ssh > service. That said, according to question 3), NAT is considered to be setup > correctly. > > Now the strange things: Neither UDP, nor TCP services "flow" from hosts on one > VLAN to hosts on a different VLAN. Even ssh doens't work. > When loged in onto the router, I can't "traceroute" any host on any VLAN. This is most likely due to the problem with firewall rules. If you set net.inet.ip.firewall.enable=0, does it solve the problem with TCP/UDP between hosts on a different VLANs? > According to question 2), the ability to ping from, say, a host on VLAN 1000 > to > another host on VLAN 2 passing through the router would indicate that both > sides know their routes to each other. Or am I wrong? Yes. > I got words from Sean bruno that there might be a problem with the Intel i210 > chipset in recent CURRENT - and the hardware on the PCEngine APU 2C4 is three > i210. I'm aware of the problem since r320134 (the oldest CURRENT I started > experimenting with the VLAN trunking). It is very strange problems, why ICMP works, but TCP/UDP does not? :) You can try to disable any type of offloading for the card, there were some problems in the past with checksum offlading, that may lead to the problems with TCP, but this usually should be noticeable in the tcpdump output. -- WBR, Andrey V. Elsukov
Description: OpenPGP digital signature