Am Fri, 14 Jul 2017 15:00:30 +0300
"Andrey V. Elsukov" <> schrieb:

> On 14.07.2017 14:42, O. Hartmann wrote:
> > I use in-kernel NAT. IPFW is performing NAT. In firewall type "OPEN" from 
> > the
> > vanilla rc.conf, IPFW has instance "nat 123" which provides then NAT.  
> I never used default config types for firewall, so, it would be nice to
> see what rules do you have.

Me neither except on some hosts with very little complications in their setups 
or simple

> # ipfw show

The OPEN firewall rules, which show the very same behaviour as I stated before:

root@gate:~ # ipfw list
00050 nat 123 ip4 from any to any via tun0
00100 allow ip from any to any via lo0
00200 deny ip from any to
00300 deny ip from to any
65000 allow ip from any to any
65535 deny ip from any to any

> # ipfw nat show config

root@gate:~ # ipfw nat show config
ipfw nat 123 config if tun0 log


ipfw nat 1 config if tun0 log same_ports reset redirect_port tcp 9734
redirect_port tcp 5432 redirect_port udp 
redirect_port udp 4569 redirect_port udp 5060
redirect_port tcp 5060 redirect_port tcp 443
redirect_port tcp 80 redirect_port tcp 22

> >> VLANs work on the layer2  
> > According to 1):
> > 
> > I consider the settings of the switch now as correct. I have no access to 
> > the
> > router right now. But I did short experiments yesterday evening and it is
> > weird: loged in on thr router, I can ping every host on any VLAN, so ICMP
> > travel from the router the right way to its destination and back.
> > 
> > From any host on any VLAN that is "trunked" through the router, I can ping 
> > any
> > other host on any other VLAN, preferrably not on the same VLAN. By cutting 
> > off
> > the trunk line to the router, pinging stops immediately.
> > 
> > From any host on any VLAN I can ping any host which is NATed on the outside
> > world.
> > 
> > From the router itself, I can ssh into any host on any VLAN providing ssh
> > service. That said, according to question 3), NAT is considered to be setup
> > correctly.
> > 
> > Now the strange things: Neither UDP, nor TCP services "flow" from hosts on 
> > one
> > VLAN to hosts on a different VLAN. Even ssh doens't work. 
> > When loged in onto the router, I can't "traceroute" any host on any VLAN.  
> This is most likely due to the problem with firewall rules.
> If you set net.inet.ip.firewall.enable=0, does it solve the problem with
> TCP/UDP between hosts on a different VLANs?

net.inet.ip.firewall.enable does not exist, I suppose it is 

Not, it doesn't change anything, last rule in my list is deny all, as you can 
see above

> > According to question 2), the ability to ping from, say, a host on VLAN 
> > 1000 to
> > another host on VLAN 2 passing through the router would indicate that both
> > sides know their routes to each other. Or am I wrong?  
> Yes.
> > I got words from Sean bruno that there might be a problem with the Intel 
> > i210
> > chipset in recent CURRENT - and the hardware on the PCEngine APU 2C4 is 
> > three
> > i210. I'm aware of the problem since r320134 (the oldest CURRENT I started
> > experimenting with the VLAN trunking).  
> It is very strange problems, why ICMP works, but TCP/UDP does not? :)
> You can try to disable any type of offloading for the card, there were
> some problems in the past with checksum offlading, that may lead to the
> problems with TCP, but this usually should be noticeable in the tcpdump
> output.

I tried that, but somehow I do not have any check:

#ifconfig_igb1="inet6 ::1 prefixlen 64 mtu 6121"
create_args_igb1="-tso -lro -rxcsum -txcsum -rxcsum6 -txcsum6 -vlanhwtso 
-vlanhwfilter -vlanhwtag"

and ifconfig igb1:

igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

Kind regards,

O. Hartmann

Ich widerspreche der Nutzung oder Übermittlung meiner Daten für
Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4 BDSG).

Attachment: pgpMLW2LojGUl.pgp
Description: OpenPGP digital signature

Reply via email to