On 2010-03-24 15:37, Ray Van Dolson wrote: > On Wed, Mar 24, 2010 at 12:16:17AM -0700, Darren Reed wrote: >> On Tue, 23 Mar 2010 09:14 -0700, "Ray Van Dolson" <[email protected]> >> wrote: >>> I have a multihomed box running Solaris 10 U8 (IP filter v4.1.9). >>> There are two interfaces, igb0 and igb2, both on the same subnet >>> (10.49.0.0/16) with, obviously, different IP's. >>> >>> igb0: 10.49.2.110/16 >>> igb2: 10.49.2.111/16 >>> >>> Default Gateway: 10.49.254.254 >>> >>> When traffic destined for 10.49.2.111 enters igb2, by default replies >>> go back out igb0. >>> >>> I want anything with a source IP of 10.49.2.111 to go out igb2. >>> >>> The following two rules work: >>> >>> (1) block out log quick on igb0 to igb2:10.49.254.254 from 10.49.2.111 >>> to any >>> (2) pass out log quick on igb0 to igb2:10.49.254.254 from 10.49.2.111 >>> to any >>> >>> But the downside is, if the destination is also on the 10.49.0.0/16, >>> when it arrives it appears as if it's coming from the gateway instead >>> of from the MAC address of igb2. >>> >>> I tried the following: >>> >>> (1) block out log quick on igb0 to igb2 from 10.49.2.111 to any >>> (2) pass out log quick on igb0 to igb2 from 10.49.2.111 to any >>> >>> But, while these rules don't complain and seem to show matches in the >>> log, the packets never reach the destination. >>> >>> Any suggestions? Do I _have_ to specify a next-hop? I just want the >>> system to rely on its local ARP table for delivery, especially if the >>> packet is destined to the local subnet... >> Are you able to use snoop/tcpdump to degtermine if anything is sent >> out igb2 or does the packet simply disappear down a black hole? > > Black hole... :) From responses I've gotten on the OpenSolaris network > list, it sounds like this sort of thing won't work -- it's more aimed > at boxes multihomed on different subnets so I can make use of a > gateway.
Maybe setting the strong host model will help. Something like: ndd -set /dev/ip ip_strict_dst_multihoming 1 -- Jefferson Ogata <[email protected]> NOAA Computer Incident Response Team (N-CIRT) <[email protected]> "Never try to retrieve anything from a bear."--National Park Service
