Hi
On 03/29/2011 04:55 PM, Sebastien Roy wrote: > On 03/29/11 02:42 AM, Thomas Nau wrote: >> Hi Sebastian >> >> >> On 03/28/2011 03:45 PM, Sebastien Roy wrote: >>> Hello Thomas, >>> >>> On 03/27/11 02:39 PM, Thomas Nau wrote: >>> ... >>>> The machine acting as firewall, and only that one, uses 4 VNIcs created >>>> "on top" of the Intel NICs using dladm. The IP addresses assigned to >>>> these VNICs are the ones that "act" as firewall. What I'm saying is that >>>> those are the IP addresses configured in the coneccting routers routing >>>> table as gateway. >>> ... >>>> Now the question: ipf allows you to specify an interface + direction in >>>> rules. So far I have found no documents that describe how ipf >>>> distinguishes between the physical NIC and the VNIc on top. Seems to be >>>> easy for incoming packets that are send to one of the IP addresses but >>>> how about routed packets that leave the box? Will they leave through >>>> e1000g0 or vnic0? >>> >>> IP filter operates at the IP layer, and the interfaces referenced in IP >>> filter configuration are IP interfaces. Since your IP >>> configuration is over the VNICs, your IP filter rules should refer to the >>> IP interfaces configured over those VNICs. >> >> >> Thanks for the quick answer but to be honest I don't get it :-/ >> Let's assume the simple case with only two NICs and internal >> and an external one. So this results in 4 up and running >> interfaces >> >> e1000g0 192.168.1.2 >> vnic0 on top of e1000g0 192.168.1.1 >> e1000g1 192.168.2.2 >> vnic1 on top of e1000g1 192.168.2.1 > > I see, I assumed based on your description that only the VNICs had IP > interfaces configured, and that the physical links did not have any IP > configuration. May I ask why e1000g0 and e1000g1 have IP configured? I > don't yet understand their function in > the example you gave. Sure :) I need to connect to each of the machines for updates, maintenance, ... and it shouldn't matter which actually currently acts as firewall. One inteface might be enough but the problem would persist > >> Let's further assume *0 are the internal ones, *1 the ones >> connected to the external network. vnic0/1 are configured >> as gateway addresses for the connected clients and routers. >> So if the internal client A sends a packet to an external host >> it will used 192.168.1.1 ad IP address for routing and ipf on >> the firewall will used vnic0 as incoming interface for that packet. >> So far so good. But what about the outgoing side? Will the packet >> leave through vnic1 or e1000g1 and how can I enforce that vnic1 >> will be used for outgoing packets? That's only about routing so for >> the outgoing side the IP addresses assigned to the firewall don't matter > > Okay, so this has little to do with VNICs, but is a general question about > two IP interfaces configured on the same subnet, and which IP interface is > used as an output interface when transmitting packets in such a scenario. > The answer is that the IP > module will pick one or the other (indeterminately) unless an output > interface was specified when adding the route to the external network. This > is because the next hop for such routes is equally reachable through both > vnic1 and e1000g1, and IP cannot > possibly know which one you prefer unless explicitly told. > > For a static route, the output interface is specified with -ifp (e.g. "route > add default -ifp vnic1"). Cool, thanks! Thomas _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
