On Wed, Mar 24, 2010 at 11:08:04AM -0700, Darren Reed wrote: > On Wed, 24 Mar 2010 08:37 -0700, "Ray Van Dolson" <[email protected]> > wrote: > > On Wed, Mar 24, 2010 at 12:16:17AM -0700, Darren Reed wrote: > > > On Tue, 23 Mar 2010 09:14 -0700, "Ray Van Dolson" <[email protected]> > > > wrote: > > > > I have a multihomed box running Solaris 10 U8 (IP filter v4.1.9). > > > > There are two interfaces, igb0 and igb2, both on the same subnet > > > > (10.49.0.0/16) with, obviously, different IP's. > > > > > > > > igb0: 10.49.2.110/16 > > > > igb2: 10.49.2.111/16 > > > > > > > > Default Gateway: 10.49.254.254 > > > > > > > > When traffic destined for 10.49.2.111 enters igb2, by default replies > > > > go back out igb0. > > > > > > > > I want anything with a source IP of 10.49.2.111 to go out igb2. > > > > > > > > The following two rules work: > > > > > > > > (1) block out log quick on igb0 to igb2:10.49.254.254 from 10.49.2.111 > > > > to any > > > > (2) pass out log quick on igb0 to igb2:10.49.254.254 from 10.49.2.111 > > > > to any > > > > > > > > But the downside is, if the destination is also on the 10.49.0.0/16, > > > > when it arrives it appears as if it's coming from the gateway instead > > > > of from the MAC address of igb2. > > > > > > > > I tried the following: > > > > > > > > (1) block out log quick on igb0 to igb2 from 10.49.2.111 to any > > > > (2) pass out log quick on igb0 to igb2 from 10.49.2.111 to any > > > > > > > > But, while these rules don't complain and seem to show matches in the > > > > log, the packets never reach the destination. > > > > > > > > Any suggestions? Do I _have_ to specify a next-hop? I just want the > > > > system to rely on its local ARP table for delivery, especially if the > > > > packet is destined to the local subnet... > > > > > > Are you able to use snoop/tcpdump to degtermine if anything is sent > > > out igb2 or does the packet simply disappear down a black hole? > > > > > > > Black hole... :) From responses I've gotten on the OpenSolaris network > > list, it sounds like this sort of thing won't work -- it's more aimed > > at boxes multihomed on different subnets so I can make use of a > > gateway. > > Are you at all proficient with dtrace? > > Darren >
I'm not unfortunately. Guessing you'd like me to trace where the packets ultimately end up? At this point we've worked around the issue by adjusting our infrastructure, but I could probably set up a test box to test this very setup again. Ray
