W dniu 30.11.2021 o 21:22, Radek pisze:
Hello,
I have a router (6.9/amd64) with NATed subnets (vlan425, vlan426, etc..). This
box is also connected to another subnet via vlan43 and the box can ping gw of
vlan43 and machines inside this subnet.
I need to enable access for clients from vlan426 to machines in vlan43 .
I have no idea how to achieve that...
I've tried to add some routes to /etc/hostname.vlan426:
!sleep 2
!route -v add -inet default 10.4.26.254
!route -v add -net 10.43.0.0/16 10.43.0.197
but /etc/netstart stucks with these lines...
What am I doing wrong?
My configs:
$ cat /etc/hostname.em0
-inet
inet A.B.C.D 255.255.255.192 NONE
$ cat /etc/mygate
A.B.C.1
$ cat /etc/hostname.vlan426
inet 10.4.26.254 255.255.255.0 NONE vnetid 426 parent em1
$ cat /etc/hostname.vlan43
-inet
inet 10.43.10.197 255.255.0.0 NONE vnetid 43 parent em1
!route -v add -inet default 10.43.0.1
$ grep 10.43.0 /etc/pf.conf
pass quick from 10.4.26.0/24 to 10.43.0.0/16
pass quick from 10.43.0.0/16 to 10.4.26.0/24
Hi,
First of all, don't do this:
> !route -v add -inet default 10.4.26.254
> !route -v add -net 10.43.0.0/16 10.43.0.197
and this:
> !route -v add -inet default 10.43.0.1
You have to set routing on machines in vlan426 and vlan43, not on
gateway between them.
So, let's say you want to allow hostA with IP 10.4.26.5 to reach hostB
with IP 10.43.0.10.
On hostA, you need to add route to 10.43.0.0/16 via 10.4.26.254
On hostB, you need to add route to 10.4.26.0/24 via 10.43.10.197
You don't have to do this on hostA, if hostA already has default route
via 10.4.26.254
Likewise, you don't do this on hostB if hostB has default route via
10.43.10.197.
Repeat above steps for every machine in vlan43 and vlan426.
Aside from allowing this traffic in pf (which you did), you need to
enable IP forwarding.
--
Łukasz Moskała
