VLAN routing fails from VLAN -> non VLAN [was: Re: static routes on VLAN on CURRENT]

2017-07-11 Thread O. Hartmann
On Mon, 3 Jul 2017 06:29:41 +0200
"O. Hartmann"  wrote:


Hello,

I figured some severe problemes with the configuration of the cheap SoHo
smart-managed switch Netgear GS110TP. This piece of crap is way to smart for me.
For short: If one leaves a port as "U" (untagged) withing a VLANG group in the
membership configuration and this port is also member of another VLAN as
"U" (untagged) (Cisco calls those ports access ports), nothing works. There is
obviously no consistency check for such mistakes.

So, after that, I was able to manage separated VLANs on the switch which get
routed by the a freeBSD 12-CURRENT. The uplink port (igb1) on the FBSD box
"trunks" all VLANs to the switch. 

Now, the router shows this:

Internet:
DestinationGatewayFlags   UseMtu  Netif Expire
defaultxxx.xxx.xxx.xxxUS  513   1492   tun0
xxx.xxx.xxx.xxxlink#12UHS   0   1492   tun0
xxx.xxx.xxx.xxxlink#12UHS   0  16384lo0
127.0.0.1  link#5 UH  111  16384lo0
192.168.2.0/24 link#7 U 0   1500 igb1.2
192.168.2.1link#7 UHS   0  16384lo0
192.168.10.0/24link#8 U 0   1500igb1.10
192.168.10.1   link#8 UHS   0  16384lo0
192.168.66.0/24link#10U 0   1500igb1.66
192.168.66.1   link#10UHS   0  16384lo0
192.168.100.0/24   link#11U 0   1500   igb1.100
192.168.100.1  link#11UHS   0  16384lo0
192.168.0.0/24 link#9 U 0   1500  igb1.1000
192.168.0.1link#9 UHS   0  16384lo0

[ schnipp ] 

tun0 is the ppp opened device towards my VDSL modem.

ssh on the router box is listening on 192.168.0.1 - this for completeness.

I also have FreeBSD hosts in networks   192.168.0.0/24 and 192.168.10.0/24
(network 192.168.10.0/24 is on a dual port NIC, the host is not gatewaying,
checking pinging from 192.168.10.0/24 to 192.168.0.0/24 without the trunk port
from switch towards the router doesn't work, but works, when trunk port is
connected - I consider this a s quick test that routing works).

> > 
> > [ sysctl stuff snipped - not relevant, I think ]
> >   
> > > > > From the routing device itself, it is possible to ssh into a VoIP
> > > > > client attached to the switch to which igb1.2 trunks the net.
> > > > > Pinging is also possible.
> > > > > 
> > > > > Attached to igb1 is the 192.168.0.1/24 network with a bunch of
> > > > > hosts. From any host within this network it is possible to ping
> > > > > the 192.168.2.0/24 network and its hosts within, but no SSH, not
> > > > > web (80, 443). 
> > > > >
> > > > 

The problem still persists.

I did some experiments by setting trying to ssh into several hosts from several 
spots.

the router has 192.168.0.1:ssh
192.168.0.0/24 is on igb1.1000

ping: 192.168.0.111 -> 192.168.0.1 : ok
ssh: 192.168.0.111 -> 192.168.0.1 : ok
ping: 192.168.0.1 -> 192.168.0.111 : ok
ssh: 192.168.0.111 -> 192.168.0.111 : ok
ping: 192.168.0.111 -> google.com : ok

192.168.66.0/24 is on igb1.66
host 192.168.66.111 is a notebook with sshd enabled

ping: 192.168.66.111 -> 192.168.0.1 : ok
ssh: 192.168.66.111 -> 192.168.0.1 : NOT ok
ssh: 192.168.0.1 -> 192.168.66.111 : NOT ok (do not understand this)
ping: 192.168.66.111 -> 8.8.8.8 (no DNS): ok

Ping from any VLAN to another VLAN host without the trunking cable connected to 
the
switch fails. With the cable plugged in, ping works.

ping: 192.168.0.1 -> 192.168.2.50 (VoIP phone): ok
ssh: 192.168.0.1 -> 192.168.2.50 (VoIP phone): ok
ping: 192.168.0.111 -> 192.168.2.50 (VoIP phone): ok
ssh 192.168.0.111 -> 192.168.2.50 (VoIP phone): NOT ok


> > > > Weird - if icmp (ping) works and tcp (web, ssh) not, something is
> > > > filtering traffic. But with net.inet.ip.forwarding=0, even pinging
> > > > host should not work. Try tcpdump to see what's going on.   
> > > 

[ schnipp ]

> > 
> > Then I just recommend tcpdump - I would use 'tcpdump -nepi igb1.2 host
> > 192.168.0.x and host 192.168.2.y' and 'tcpdump -nepi igb1 host
> > 192.168.0.x and host 192.168.2.y' in two session and compare outputs
> > when pinging from 192.168.0.x to 192.168.2.y and when trying to ssh
> > from the former to the later. Also there is a question then what these
> > two devices are, what OS are they running, their network
> > configuration... then we can analyse the problem better. 

Since the VoIP phone has a very restricted interface and shell capability set, 
I need to
do this from another FreeBSD 12-CURRENT host and as I showed above, I put that 
host into
VLAN 66, bound to igb1.66 -> 192.168.66.1/24 on the router:

Pinging from 192.168.0.111 <-> 192.168.66.111 gives on both machines nice 
"ping-pong"
results: echo request and echo 

Re: static routes on VLAN on CURRENT

2017-07-04 Thread O. Hartmann
On Sun, 2 Jul 2017 21:12:17 +0200
Milan Obuch  wrote:

> On Sun, 2 Jul 2017 20:13:49 +0200
> "Hartmann, O."  wrote:
> 
> > On Sun, 2 Jul 2017 14:39:34 +0200
> > Milan Obuch  wrote:  
> 
> [ snip ]
> 
> > > > To not use a routing daemon due to the small size of my network, I
> > > > desided to use static routes, in rc.conf I placed the following
> > > > variables:
> > > > 
> > > > static_routes="igb1.2 igb1.10"
> > > > route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
> > > > route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"
> > > > 
> > > > igb1 is assigned to IP/NET 192.168.0.1/24
> > > >   
> 
> Just to be exact, could you show us ifconfig lines from rc.conf as well?
> It is common to have something like
> 
> cloned_interfaces="igb1.2 igb1.10"
> ifconfig_igb1_2="192.168.2.1/24"
> ifconfig_igb1_10="192.168.10.1/24"
> 
> and no static routes as you showed, because address assigned to
> interface means automatically line in route table, however, they should
> look identical to those shown in your first mail.
> 
> > > > netstat -Warn gives me (as dummy, since I have no direct access to
> > > > the box via serial console from the system I write this mail):
> > > > 
> > > > Internet:
> > > > Destination  Gateway Flags   UseMtu  Netif
> > > > 127.0.0.1link#3  UH   334564  16384lo0
> > > > 192.168.0.0/24   link#4  U 23452   1500
> > > > igb1 192.168.0.1  link#4  UHS   29734
> > > > 16384lo0 192.168.2.0/24   link#5  U
> > > > 271   1500 igb1.2 192.168.2.1  link#5  UHS   0
> > > > 16384lo0 
> > > 
> > > I think you did not include network 192.168.10.0/24 on igb1.10...
> > 
> > I skipped that, it is quite the same according to the settings of the
> > others and unused for now. So it doesn't matter. But you're right.
> >  
> 
> This was just for tha sake of completteness, nothing else.
> 
> [ sysctl stuff snipped - not relevant, I think ]
> 
> > > > From the routing device itself, it is possible to ssh into a VoIP
> > > > client attached to the switch to which igb1.2 trunks the net.
> > > > Pinging is also possible.
> > > > 
> > > > Attached to igb1 is the 192.168.0.1/24 network with a bunch of
> > > > hosts. From any host within this network it is possible to ping
> > > > the 192.168.2.0/24 network and its hosts within, but no SSH, not
> > > > web (80, 443). 
> > > >  
> > > 
> > > Weird - if icmp (ping) works and tcp (web, ssh) not, something is
> > > filtering traffic. But with net.inet.ip.forwarding=0, even pinging
> > > host should not work. Try tcpdump to see what's going on. 
> > 
> > net.inet.ip.forwarding works as expected. See above, I confused the
> > OID.
> >   
> 
> [ snip ]
> 
> > > From network architecture view, there is no difference - vlan is
> > > network interface just like physical ethernet. Basically everything
> > > is the same (sometimes there is issue with mtu, but this hardware
> > > dependent).
> > 
> > Yes, so I thought, but as you stated, something is filtering and I
> > have no clue what.
> >   
> 
> Then I just recommend tcpdump - I would use 'tcpdump -nepi igb1.2 host
> 192.168.0.x and host 192.168.2.y' and 'tcpdump -nepi igb1 host
> 192.168.0.x and host 192.168.2.y' in two session and compare outputs
> when pinging from 192.168.0.x to 192.168.2.y and when trying to ssh
> from the former to the later. Also there is a question then what these
> two devices are, what OS are they running, their network
> configuration... then we can analyse the problem better.
> 
> Regards,
> Milan
[...]

Well, some news from a "lost" night at the HomeOfficeFrontier.

I followed the advices given by you (Milan and Freddie), except the tcpdump
sessions, because I also had some trouble with the ISP's connection.

But: Having setup the router's interface to igb1.10 (vlan 10) revealed some
serious problems with the setup of the switch I use in the HomeOffice. We use
mostly Cisco switches. It is easy to assign ports to a certain VLAN and leave
them "untagged", but the uplink port (Cisco calls this port trunk port or
etherport) has, of course, "tagged" etherframes.

The switch is a Netgear GS110TP, the uplinkport is g9 (SFP copper). This
tagged port is attached via CAT 6 cable to the igb1 of the router. The router,
the FreeBSD 12-CURRENT box in question here, has VLANs 2, 10, 66 and 100
assigned to this port, but I use only 2 and 10 at the moment. vlan 2 is, as
explained above, the VoIP network, its switchport is g8 which "must" be tagged
to reach the Grandstream VoIP phone, which has 802.1q tag 2. 

So, as Freddie Cash suggested, I assigned my native LAN (192.168.0.1/24) to
igb1.10 and assigned the uplink port of the switch also to be member of vlan
10 "tagged" and put also the other ports (3 ports) with hosts attached to the
net 192.168.0.1/24 into the group of VLAN 10. 

The 

Re: static routes on VLAN on CURRENT

2017-07-02 Thread O. Hartmann
On Sun, 2 Jul 2017 13:17:54 -0700
Freddie Cash  wrote:

> On Jul 2, 2017 4:40 AM, "Hartmann, O."  wrote:
> 
> Fiddling around with a self-brewn router/firewall based on 12-CURRENT
> and ipfw, I run into problems when setting up a trunk port with
> different VLANs and static routes.
> 
> The "router" has three NICs, igb0, igb1, igb2 (it is de facto an APU
> 2C4 from PCengines). igb0 is attached to an external VDSL2+ Modem and
> not connected at the moment. igb2 is also not connected yet.
> 
> igb1 bears several VLANs: 2, 10, 100 (igb1.2, igb1.10 ...) and the
> "native", untagged LAN (on igb1).
> 
> 
> While it will sometimes work, I find that mixing tagged and untagged vlans
> on a single interface leads to all kinds of silent failures and issues.
> 
> Just make vlan 1 tagged on that interface and the switch port. Then ignore
> igb1 completely, and only use the igb1.X interfaces for everything.

A very good advice, but I didn't come that far since first I have to refactor
the whole network and I didn't want to shoot myself into the foot.

> 
> To not use a routing daemon due to the small size of my network, I
> desided to use static routes, in rc.conf I placed the following
> variables:
> 
> static_routes="igb1.2 igb1.10"
> route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
> route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"
> 
> 
> You shouldn't need to add static routes as there routes will be added
> automatically when you assign an IP/netmask to the interface.

yes, I founf this out already - a bit disturbin, isn't it? The thinking behind
my "solution" was not to route automatically.

I think isolating networks needs to be done via ipfw then.

Well, to be honest, the main issue is that there is the igb0 device, which will
be attached to tun0 in case the VDSL modem is attached and receiving its IP from
the ISP. FreeBSD's ppp client adds this device as the default route via

add! default HISADDR
add! default HISADDR6

The igb1.2 VLAN 2 in my scenario should be the interface for the VoIP facility
- and it should be some kind restricted. The router itself is running NanoBSD
12-CURRENT and as soon as I have figured out to automatically create and
install a small jail which then contains PBX, DNS et cetera, igb1.2 is then the
jail's interface. And it should not interfere with my office's LAN by accident.


> 
> Simplify things. Make everything tagged vlans, reduce your rc.conf to just
> IP assignments to the sub interfaces, and see how things work. Build it up
> from there.

Good thinking.

> 
> Cheers,
> Freddie

Thank you very much,
Oliver
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"


Re: static routes on VLAN on CURRENT

2017-07-02 Thread O. Hartmann
On Sun, 2 Jul 2017 21:12:17 +0200
Milan Obuch  wrote:

> On Sun, 2 Jul 2017 20:13:49 +0200
> "Hartmann, O."  wrote:
> 
> > On Sun, 2 Jul 2017 14:39:34 +0200
> > Milan Obuch  wrote:  
> 
> [ snip ]
> 
> > > > To not use a routing daemon due to the small size of my network, I
> > > > desided to use static routes, in rc.conf I placed the following
> > > > variables:
> > > > 
> > > > static_routes="igb1.2 igb1.10"
> > > > route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
> > > > route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"
> > > > 
> > > > igb1 is assigned to IP/NET 192.168.0.1/24
> > > >   
> 
> Just to be exact, could you show us ifconfig lines from rc.conf as well?
> It is common to have something like

I do not have entries in cloned_interfaces="". I use 

vlans_igb1="2 10" and so forth.

> 
> cloned_interfaces="igb1.2 igb1.10"
> ifconfig_igb1_2="192.168.2.1/24"
> ifconfig_igb1_10="192.168.10.1/24"

ifconfig_igb1_2="inet 192.168.2.1 netmask 0xff00"

same for igb1.10

Additionally, I had the static route definitions.
I deleted them and realised that routing is done automatically - something that
is not desired in the first place.

The "thinking" behind static routes was not to have routing between those
interfaces in an automatic manner, but explicitely allowed via the static
route. My bad, FBSD seems to have some surprises left.


> 
> and no static routes as you showed, because address assigned to
> interface means automatically line in route table, however, they should
> look identical to those shown in your first mail.

Yes, they do and the routing seems to be established.

> 
> > > > netstat -Warn gives me (as dummy, since I have no direct access to
> > > > the box via serial console from the system I write this mail):
> > > > 
> > > > Internet:
> > > > Destination  Gateway Flags   UseMtu  Netif
> > > > 127.0.0.1link#3  UH   334564  16384lo0
> > > > 192.168.0.0/24   link#4  U 23452   1500
> > > > igb1 192.168.0.1  link#4  UHS   29734
> > > > 16384lo0 192.168.2.0/24   link#5  U
> > > > 271   1500 igb1.2 192.168.2.1  link#5  UHS   0
> > > > 16384lo0 
> > > 
> > > I think you did not include network 192.168.10.0/24 on igb1.10...
> > 
> > I skipped that, it is quite the same according to the settings of the
> > others and unused for now. So it doesn't matter. But you're right.
> >  
> 
> This was just for tha sake of completteness, nothing else.
> 
> [ sysctl stuff snipped - not relevant, I think ]
> 
> > > > From the routing device itself, it is possible to ssh into a VoIP
> > > > client attached to the switch to which igb1.2 trunks the net.
> > > > Pinging is also possible.
> > > > 
> > > > Attached to igb1 is the 192.168.0.1/24 network with a bunch of
> > > > hosts. From any host within this network it is possible to ping
> > > > the 192.168.2.0/24 network and its hosts within, but no SSH, not
> > > > web (80, 443). 
> > > >  
> > > 
> > > Weird - if icmp (ping) works and tcp (web, ssh) not, something is
> > > filtering traffic. But with net.inet.ip.forwarding=0, even pinging
> > > host should not work. Try tcpdump to see what's going on. 
> > 
> > net.inet.ip.forwarding works as expected. See above, I confused the
> > OID.
> >   
> 
> [ snip ]
> 
> > > From network architecture view, there is no difference - vlan is
> > > network interface just like physical ethernet. Basically everything
> > > is the same (sometimes there is issue with mtu, but this hardware
> > > dependent).
> > 
> > Yes, so I thought, but as you stated, something is filtering and I
> > have no clue what.
> >   
> 
> Then I just recommend tcpdump - I would use 'tcpdump -nepi igb1.2 host
> 192.168.0.x and host 192.168.2.y' and 'tcpdump -nepi igb1 host
> 192.168.0.x and host 192.168.2.y' in two session and compare outputs
> when pinging from 192.168.0.x to 192.168.2.y and when trying to ssh
> from the former to the later. Also there is a question then what these
> two devices are, what OS are they running, their network
> configuration... then we can analyse the problem better.

Thank you very much for the details of analysing. I regret, at the moment I
have no access to the facility. But except the device bearing the IP
192.168.2.y, which is a commercial VoIP endpoint, other parties are 12-CURRENT
of a very well known OS. 

I'll check as soon as I have acces.
> 
> Regards,
> Milan
> 

Thank you very much and kind regards,

Oliver
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"


Re: static routes on VLAN on CURRENT

2017-07-02 Thread Hartmann, O.
On Sun, 2 Jul 2017 14:39:34 +0200
Milan Obuch  wrote:

> On Sun, 2 Jul 2017 13:40:01 +0200
> "Hartmann, O."  wrote:
> 
> [ snip ]
> 
> > On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the
> > main goal). The interface is attached with the IP 192.168.2.1. The
> > NIX is attached to a VLAN capable switch and VLAN 2 is for VoIP
> > telephones.
> > 
> > To not use a routing daemon due to the small size of my network, I
> > desided to use static routes, in rc.conf I placed the following
> > variables:
> > 
> > static_routes="igb1.2 igb1.10"
> > route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
> > route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"
> > 
> > igb1 is assigned to IP/NET 192.168.0.1/24
> > 
> > netstat -Warn gives me (as dummy, since I have no direct access to
> > the box via serial console from the system I write this mail):
> > 
> > Internet:
> > Destination  Gateway Flags   UseMtu  Netif
> > 127.0.0.1link#3  UH   334564  16384lo0
> > 192.168.0.0/24   link#4  U 23452   1500   igb1 
> > 192.168.0.1  link#4  UHS   29734  16384lo0
> > 192.168.2.0/24   link#5  U   271   1500
> > igb1.2 192.168.2.1  link#5  UHS   0
> > 16384lo0 
> 
> I think you did not include network 192.168.10.0/24 on igb1.10...

I skipped that, it is quite the same according to the settings of the
others and unused for now. So it doesn't matter. But you're right.

> 
> > For readability, the Expire column has been avoided.
> > 
> > Since I use some tuning and security advisories for advanced
> > settings, for the tests they were disabled or reset to FreeBSD's
> > defaults, i.e. blackhole etc.
> > 
> > gateway_enable="YES" is set, I checked the sysctl also. Further,
> > icmp_drop_redirect="NO" and "net.inet.ip.forwarding=0". I followed
> > basically chapter 30.2 "Gateways and routes" of the recent handbook
> > in addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's.
> >  
> 
> This is kind of contradiction here - if you have line
> 
> gateway_enable="YES"
> 
> in /etc/rc.conf, then you should have set
> 
> net.inet.ip.forwarding=1
> 
> after system boot. If you edited /etc/rc.conf, setting will be
> activated after reboot.

It is and it has alwyas been - I confused it with 

net.inet.ip.redirect=0


> 
> > From the routing device itself, it is possible to ssh into a VoIP
> > client attached to the switch to which igb1.2 trunks the net.
> > Pinging is also possible.
> > 
> > Attached to igb1 is the 192.168.0.1/24 network with a bunch of
> > hosts. From any host within this network it is possible to ping the
> > 192.168.2.0/24 network and its hosts within, but no SSH, not web
> > (80, 443). 
> >  
> 
> Weird - if icmp (ping) works and tcp (web, ssh) not, something is
> filtering traffic. But with net.inet.ip.forwarding=0, even pinging
> host should not work. Try tcpdump to see what's going on. 

net.inet.ip.forwarding works as expected. See above, I confused the OID.

> 
> > Since my IPFW setup is a catastrophy, I switched it off (ipfw
> > firewall disable) in combination with setting
> > "net.inte.ip.fw.default_to_accept=1". So, this should ensure that
> > anything is passed the ipfw. But the result is still the same. What
> > am I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even
> > possible?
> >  
> 
> From network architecture view, there is no difference - vlan is
> network interface just like physical ethernet. Basically everything is
> the same (sometimes there is issue with mtu, but this hardware
> dependent).

Yes, so I thought, but as you stated, something is filtering and I have
no clue what.

> 
> Regards,
> 
> Milan

Kind regards,

Oliver

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"


Re: static routes on VLAN on CURRENT

2017-07-02 Thread Freddie Cash
On Jul 2, 2017 4:40 AM, "Hartmann, O."  wrote:

Fiddling around with a self-brewn router/firewall based on 12-CURRENT
and ipfw, I run into problems when setting up a trunk port with
different VLANs and static routes.

The "router" has three NICs, igb0, igb1, igb2 (it is de facto an APU
2C4 from PCengines). igb0 is attached to an external VDSL2+ Modem and
not connected at the moment. igb2 is also not connected yet.

igb1 bears several VLANs: 2, 10, 100 (igb1.2, igb1.10 ...) and the
"native", untagged LAN (on igb1).


While it will sometimes work, I find that mixing tagged and untagged vlans
on a single interface leads to all kinds of silent failures and issues.

Just make vlan 1 tagged on that interface and the switch port. Then ignore
igb1 completely, and only use the igb1.X interfaces for everything.

To not use a routing daemon due to the small size of my network, I
desided to use static routes, in rc.conf I placed the following
variables:

static_routes="igb1.2 igb1.10"
route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"


You shouldn't need to add static routes as there routes will be added
automatically when you assign an IP/netmask to the interface.

Simplify things. Make everything tagged vlans, reduce your rc.conf to just
IP assignments to the sub interfaces, and see how things work. Build it up
from there.

Cheers,
Freddie
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"


Re: static routes on VLAN on CURRENT

2017-07-02 Thread Milan Obuch
On Sun, 2 Jul 2017 20:13:49 +0200
"Hartmann, O."  wrote:

> On Sun, 2 Jul 2017 14:39:34 +0200
> Milan Obuch  wrote:

[ snip ]

> > > To not use a routing daemon due to the small size of my network, I
> > > desided to use static routes, in rc.conf I placed the following
> > > variables:
> > > 
> > > static_routes="igb1.2 igb1.10"
> > > route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
> > > route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"
> > > 
> > > igb1 is assigned to IP/NET 192.168.0.1/24
> > > 

Just to be exact, could you show us ifconfig lines from rc.conf as well?
It is common to have something like

cloned_interfaces="igb1.2 igb1.10"
ifconfig_igb1_2="192.168.2.1/24"
ifconfig_igb1_10="192.168.10.1/24"

and no static routes as you showed, because address assigned to
interface means automatically line in route table, however, they should
look identical to those shown in your first mail.

> > > netstat -Warn gives me (as dummy, since I have no direct access to
> > > the box via serial console from the system I write this mail):
> > > 
> > > Internet:
> > > Destination  Gateway Flags   UseMtu  Netif
> > > 127.0.0.1link#3  UH   334564  16384lo0
> > > 192.168.0.0/24   link#4  U 23452   1500
> > > igb1 192.168.0.1  link#4  UHS   29734
> > > 16384lo0 192.168.2.0/24   link#5  U
> > > 271   1500 igb1.2 192.168.2.1  link#5  UHS   0
> > > 16384lo0   
> > 
> > I think you did not include network 192.168.10.0/24 on igb1.10...  
> 
> I skipped that, it is quite the same according to the settings of the
> others and unused for now. So it doesn't matter. But you're right.
>

This was just for tha sake of completteness, nothing else.

[ sysctl stuff snipped - not relevant, I think ]

> > > From the routing device itself, it is possible to ssh into a VoIP
> > > client attached to the switch to which igb1.2 trunks the net.
> > > Pinging is also possible.
> > > 
> > > Attached to igb1 is the 192.168.0.1/24 network with a bunch of
> > > hosts. From any host within this network it is possible to ping
> > > the 192.168.2.0/24 network and its hosts within, but no SSH, not
> > > web (80, 443). 
> > >
> > 
> > Weird - if icmp (ping) works and tcp (web, ssh) not, something is
> > filtering traffic. But with net.inet.ip.forwarding=0, even pinging
> > host should not work. Try tcpdump to see what's going on.   
> 
> net.inet.ip.forwarding works as expected. See above, I confused the
> OID.
> 

[ snip ]

> > From network architecture view, there is no difference - vlan is
> > network interface just like physical ethernet. Basically everything
> > is the same (sometimes there is issue with mtu, but this hardware
> > dependent).  
> 
> Yes, so I thought, but as you stated, something is filtering and I
> have no clue what.
> 

Then I just recommend tcpdump - I would use 'tcpdump -nepi igb1.2 host
192.168.0.x and host 192.168.2.y' and 'tcpdump -nepi igb1 host
192.168.0.x and host 192.168.2.y' in two session and compare outputs
when pinging from 192.168.0.x to 192.168.2.y and when trying to ssh
from the former to the later. Also there is a question then what these
two devices are, what OS are they running, their network
configuration... then we can analyse the problem better.

Regards,
Milan

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"


Re: static routes on VLAN on CURRENT

2017-07-02 Thread Milan Obuch
On Sun, 2 Jul 2017 13:40:01 +0200
"Hartmann, O."  wrote:

[ snip ]

> On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the main
> goal). The interface is attached with the IP 192.168.2.1. The NIX is
> attached to a VLAN capable switch and VLAN 2 is for VoIP telephones.
> 
> To not use a routing daemon due to the small size of my network, I
> desided to use static routes, in rc.conf I placed the following
> variables:
> 
> static_routes="igb1.2 igb1.10"
> route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
> route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"
> 
> igb1 is assigned to IP/NET 192.168.0.1/24
> 
> netstat -Warn gives me (as dummy, since I have no direct access to the
> box via serial console from the system I write this mail):
> 
> Internet:
> Destination  Gateway Flags   UseMtu  Netif
> 127.0.0.1link#3  UH   334564  16384lo0
> 192.168.0.0/24   link#4  U 23452   1500   igb1 
> 192.168.0.1  link#4  UHS   29734  16384lo0
> 192.168.2.0/24   link#5  U   271   1500   igb1.2 
> 192.168.2.1  link#5  UHS   0  16384lo0
>

I think you did not include network 192.168.10.0/24 on igb1.10...

> For readability, the Expire column has been avoided.
> 
> Since I use some tuning and security advisories for advanced settings,
> for the tests they were disabled or reset to FreeBSD's defaults, i.e.
> blackhole etc.
> 
> gateway_enable="YES" is set, I checked the sysctl also. Further,
> icmp_drop_redirect="NO" and "net.inet.ip.forwarding=0". I followed
> basically chapter 30.2 "Gateways and routes" of the recent handbook in
> addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's.
>

This is kind of contradiction here - if you have line

gateway_enable="YES"

in /etc/rc.conf, then you should have set

net.inet.ip.forwarding=1

after system boot. If you edited /etc/rc.conf, setting will be
activated after reboot.

> From the routing device itself, it is possible to ssh into a VoIP
> client attached to the switch to which igb1.2 trunks the net. Pinging
> is also possible.
> 
> Attached to igb1 is the 192.168.0.1/24 network with a bunch of hosts.
> From any host within this network it is possible to ping the
> 192.168.2.0/24 network and its hosts within, but no SSH, not web (80,
> 443). 
>

Weird - if icmp (ping) works and tcp (web, ssh) not, something is
filtering traffic. But with net.inet.ip.forwarding=0, even pinging host
should not work. Try tcpdump to see what's going on. 

> Since my IPFW setup is a catastrophy, I switched it off (ipfw firewall
> disable) in combination with setting
> "net.inte.ip.fw.default_to_accept=1". So, this should ensure that
> anything is passed the ipfw. But the result is still the same. What am
> I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even
> possible?
>

>From network architecture view, there is no difference - vlan is
network interface just like physical ethernet. Basically everything is
the same (sometimes there is issue with mtu, but this hardware
dependent).

Regards,

Milan
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"


static routes on VLAN on CURRENT

2017-07-02 Thread Hartmann, O.
Fiddling around with a self-brewn router/firewall based on 12-CURRENT
and ipfw, I run into problems when setting up a trunk port with
different VLANs and static routes.

The "router" has three NICs, igb0, igb1, igb2 (it is de facto an APU
2C4 from PCengines). igb0 is attached to an external VDSL2+ Modem and
not connected at the moment. igb2 is also not connected yet.

igb1 bears several VLANs: 2, 10, 100 (igb1.2, igb1.10 ...) and the
"native", untagged LAN (on igb1). There is no default route set, but
even with the ISP's network active and igb0/tun0, via ppp
configuration, with tun0 attached to the address obtained by the ISP
and set as default route, the problem I try to describe persists and
is the same with or without the default route.

On igb1.2 (vlan tag 2) I want to run an asterisk PBX (that is the main
goal). The interface is attached with the IP 192.168.2.1. The NIX is
attached to a VLAN capable switch and VLAN 2 is for VoIP telephones.

To not use a routing daemon due to the small size of my network, I
desided to use static routes, in rc.conf I placed the following
variables:

static_routes="igb1.2 igb1.10"
route_igb1_2="-net 192.168.2.0/24 -interface igb1.2"
route_igb1_10="-net 192.168.10.0/24 -interface igb1.10"

igb1 is assigned to IP/NET 192.168.0.1/24

netstat -Warn gives me (as dummy, since I have no direct access to the
box via serial console from the system I write this mail):

Internet:
Destination  Gateway Flags   UseMtu  Netif
127.0.0.1link#3  UH   334564  16384lo0
192.168.0.0/24   link#4  U 23452   1500   igb1 
192.168.0.1  link#4  UHS   29734  16384lo0
192.168.2.0/24   link#5  U   271   1500   igb1.2 
192.168.2.1  link#5  UHS   0  16384lo0

For readability, the Expire column has been avoided.

Since I use some tuning and security advisories for advanced settings,
for the tests they were disabled or reset to FreeBSD's defaults, i.e.
blackhole etc.

gateway_enable="YES" is set, I checked the sysctl also. Further,
icmp_drop_redirect="NO" and "net.inet.ip.forwarding=0". I followed
basically chapter 30.2 "Gateways and routes" of the recent handbook in
addition to the Wiki "NetworkPerformanceTuning" of FreeBSD's.

>From the routing device itself, it is possible to ssh into a VoIP
client attached to the switch to which igb1.2 trunks the net. Pinging
is also possible.

Attached to igb1 is the 192.168.0.1/24 network with a bunch of hosts.
>From any host within this network it is possible to ping the
192.168.2.0/24 network and its hosts within, but no SSH, not web (80,
443). 

Since my IPFW setup is a catastrophy, I switched it off (ipfw firewall
disable) in combination with setting
"net.inte.ip.fw.default_to_accept=1". So, this should ensure that
anything is passed the ipfw. But the result is still the same. What am
I doing wrong here? Is inter VLAN routing in FreeBSD CURRENT even
possible?

My knowledge about routing is limited. The handbook covers the most
simplest examples and from the perspective of the simple examples, VLAN
static routing should be very similar - regarding to chapter 30.2, and
the example of multiple (two) routers separating the network, the
router with multiple "NICs/VLANs" is very much the same except the fact
that in the example shown in 30.2 the routing devices do have two NICs
while in my case there is only one "backend" to all NICs.

What is wrong in my logic?

Thanks for your patience,

kind regards
Oliver
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"