Re: Multiple VLANs in the same subnet on different Routing Domains
Many thanks for the reply's folks much appreciated. Let me give you a little more detail on what we do as this will explain why this is needed. We have created a perl script that launches an 'ICMP ping' which is configured for 1 ping per second with a 1 second timeout max 60 pings. When the ping completes we collect the results and the perl script immediately relaunches the ping process and everything continues. So with this we have constant pinging of a remote host once per second with data collected every minute. This data is then stored in an RRD for later analysis through CACTI. Baseline Latency (over last 3hours) and 5min Latency along with packetloss and recorded and alerted upon etc. I need to test the link through _all_ the firewalls _all_ the time to the same end hosts, in truth we actually monitor between 20 and 30 remote systems, so given the constant pings been set mangling the default GW each time is simply not possible. The remote hosts need to be to same so as to eliminate them from the testing i.e. if the pinger to remote host X through firewall 1 shows packet loss but no others do then its an issue centred around firewall 1 and its connections _not_ remote host X. By using rdomains I can in theory achieve this as I can gain multiple default GW's and need simply to choose the rdomain to use when issuing the ping. Now I appreciate that the way we monitor may seems excessive to some however the reason for this is due to the nature of our business and customer type, e- gaming. Think 500k plus users all sending v small tcp packets at huge rates, their connections being distributed across the multiple firewalls for capacity and resilience reasons. If one of these firewalls or its connections falters in any way we need to know quickly to prevent large scale customer disruption. This approach has been in use for the past 2 years, all be it with multiple hosts originating the pings and has proven itself time and time again as invaluable as a means of early fault detection. We regularly inform our transit providers L3/TIS/MCI of issues on their network long before they are aware. With the introduction of rdomains in 4.6 this seemed perfect for our monitoring needs as it would allow us to reduce down the sheer number of boxes us to achieve our monitoring. Thanks for posts so far and rest assured I always insist we do buy a copy of the release cd's for every machine we run OBSD on. __
Multiple VLANs in the same subnet on different Routing Domains
I've had no luck Googling this issue so thought I'd ask the experts. Ok we have 4 firewalls providing internet connectivity whose internal interfaces are on a single shared subnet, although the IPs are different. Outbound traffic from the various hosts on this subnet are distributed across the firewalls by setting the firewall internal IP's as the various different GW addresses. i.e. Hosts A/B/C/D use FW1 as their GW, hosts E/F/G/H use FW2 as their gateway etc. Ok so my problem is this. We have a single monitoring host that needs to send outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to www.apple.com, FW3 etc. The idea is to check the Firewalls and their upstream connectivity not the end host per se. To achieve this I've tried the following: Create 4 VLAN interfaces all on the same VLAN as the shared subnet using alternate IP's but on different routing domains. i.e. Vlan no. 10 : hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 1 hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 2 hostname.vlan103 - inet 10.11.12.3 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 3 hostname.vlan104 - inet 10.11.12.4 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 4 I then add default gateways to each routing domain i.e. route -T 1 default 10.11.12.50 route -T 2 default 10.11.12.51 route -T 3 default 10.11.12.52 route -T 4 default 10.11.12.53 To achieve the monitor we then do the following and capture the output: ping -V 1 www.apple.com ping -V 2 www.apple.com ping -V 3 www.apple.com ping -V 4 www.apple.com If I create the 1st VLAN/rdomain everything works perfectly however as soon as I add the 2nd vlan interface traffic on both vlans stops. Destroying the 2nd vlan instance restores traffic. The host is running OpenBSD i386 Generic 4.7 (release). Sorry no DMESG as yet but I can get this and anything else if need be tomorrow. Is what I'm trying to do possible? Any help is much appreciated. __
HPING or equiv
Hi Folks, Looking for a bit of insight from you guys in the know. I've deployed a 4.3 box as a pen test / scanning tool for our network. One of the toys I've put on is HPING from the packages collection. Ok so here's the problem if I do a 'hping -c 1 -i u100 -1 xx.xx.xx.xx' I generate a rather unimpressive 50pps. Issuing the same command on a gentoo box (sorry) I get 9000+ pps. In both cases HPING is v2.00.xx something. I've tried HPING3 but the result is the same. So HPING on OBSD is broke, are there any alternatives? I need to generate a large number of packets to test our DDoS system, Arbor PeakFlow + TMS, OpenBSD 4.3 at its core ;-) Any suggestions much appreciated, also if I can fix HPING or any knows of a patch that would be good too. Thanks Simon __
