if your testing host is in the same subnet as the 3 gateways' inside interfaces, then your probe script can just overwrite the ARP entry for the next hop to each of the gateways in turn. no need to do any layer 3 changes at all.
/Pete Den 24. juli 2010 kl. 12:56 skrev Philip Guenther <[email protected]>: > On Thu, Jul 22, 2010 at 9:15 AM, <[email protected]> wrote: > ... >> Ok so my problem is this. We have a single monitoring host that needs to send >> outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote >> address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to >> www.apple.com, FW3 etc. >> >> The idea is to check the Firewalls and their upstream connectivity not the end >> host per se. >> >> To achieve this I've tried the following: >> >> Create 4 VLAN interfaces all on the same VLAN as the shared subnet using >> alternate IP's but on different routing domains. > > Hmm. I don't think you need different routing domain, but rather only > different routing tables. You only need to override the outbound > routing and not create a separation behind interfaces. > > >> i.e. Vlan no. 10 : >> >> hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev bge0 >> rdomain 1 >> hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev bge0 >> rdomain 2 > > Umm, what? Put yourself in the kernel's position. A packet with vlan > tag of 10 is received on the bge0 physical interface: what interface > and routing domain should it show up in? That's a layer 2 decision > that the kernel has to make _without_ considering the src or dest IP > addresses. Given that, do you see why your interface definitions > there are in conflict? > > > ... >> If I create the 1st VLAN/rdomain everything works perfectly however as soon as I >> add the 2nd vlan interface traffic on both vlans stops. Destroying the 2nd vlan >> instance restores traffic. > > Yeah, that meets my expectations. > > >> The host is running OpenBSD i386 Generic 4.7 (release). Sorry no DMESG as yet >> but I can get this and anything else if need be tomorrow. >> >> Is what I'm trying to do possible? Any help is much appreciated. > > Let me make sure I understand the problem. You have a system where > you sometimes want to route packets out an interface according to > rules other than the normal rules, but you don't need to do any > separation of interfaces as far as forwarding or binding of addresses > goes? If so, then I believe you only need to create distinct routing > tables and not actual routing domains. To do that, you need > 1) *one* interface bound to the correct physical device and vlan, > *in the default routing domain*, > 2) the 'route -T' commands from your message (to create the > alternative routing tables), and > 3) the 'ping -V' commands from your original message (to use > those alternatives). > > I also strongly advise you to upgrade to -current. No, really. > Claudio spent a chunk of time at c2k10 helping Peter and I understand > the distinction between rtables and rdomains...and in the process of > explaining and then fixing the naming in the source tree, he found > some issues in the implementation. ("If you really want to understand > something, explain it to someone else") Here's the action shot of > that explanation from jcr's article at undeadly.org: > http://www.designtools.org/OpenBSD/c2k10/debate3-l.jpg > > You're using with something that's being actively updated by the > developer; staying current is staying sane. > > > Philip Guenther
