On Thu, 24 Nov 2005, Jason Dixon wrote: > I'm testing PF on a proposed network design and experiencing some unexpected > behavior. With three vlan(4) interfaces on the interior of an OpenBSD > gateway, each of the clients on a segment is able to ping the gateway address > for at least one of the other VLAN gateways. I'm not sure whether this is a > bug with OpenBSD or my switch. I wouldn't be surprised that it's the fault of > this Dell PowerConnect 3024, but I'm still wondering why OpenBSD honors the > tagged packet on the wrong vlan(4) interface. I know the Dell PowerConnects > are crap, but it's what I have in my home for testing. The production network > will be running Catalyst 2950s. > > The clients are all connected to untagged VLAN ports on the switch. The > OpenBSD gateway is plugged into a port tagged with all 3 VLANs. > > vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:d0:b7:bf:c6:95 > vlan: 2 parent interface: fxp0 > groups: vlan > inet6 fe80::2d0:b7ff:febf:c695%vlan0 prefixlen 64 scopeid 0x8 > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:d0:b7:bf:c6:95 > vlan: 3 parent interface: fxp0 > groups: vlan > inet6 fe80::2d0:b7ff:febf:c695%vlan1 prefixlen 64 scopeid 0x9 > inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 > vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:d0:b7:bf:c6:95 > vlan: 4 parent interface: fxp0 > groups: vlan > inet6 fe80::2d0:b7ff:febf:c695%vlan2 prefixlen 64 scopeid 0xa > inet 10.20.20.1 netmask 0xffffff00 broadcast 10.20.20.255 > > ============== > Test Summary > ============== > Client 10.0.0.50 > can ping 10.0.0.1 > can not ping 10.10.10.1 > can ping 10.20.20.1 > > Client 10.10.10.50 > can ping 10.0.0.1 > can ping 10.10.10.1 > can ping 10.20.20.1 > > Client 10.20.20.50 > can not ping 10.0.0.1 > can ping 10.10.10.1 > can ping 10.20.20.1
Your clients have the OpenBSD system as their gateway right? I think it's normal for a multi-homed BSD system to accept traffic for all it's IP addresses (even with forwarding turned off). That does not explain why some of your ping tests fail though. -- Cam
