On Thu, 22 Jul 2010 17:15:00 +0100 sslay...@iom.com wrote: > I've had no luck Googling this issue so thought I'd ask the experts. > > Ok we have 4 firewalls providing internet connectivity whose internal > interfaces are on a single shared subnet, although the IPs are > different. Outbound traffic from the various hosts on this subnet are > distributed across the firewalls by setting the firewall internal > IP's as the various different GW addresses. i.e. Hosts A/B/C/D use > FW1 as their GW, hosts E/F/G/H use FW2 as their gateway etc. > > Ok so my problem is this. We have a single monitoring host that needs > to send outbound traffic (ICMP) via the 4 different Firewalls to the > _SAME_ remote address. e.g. Send ICMP to www.apple.com via FW1 then > send ICMP via FW2 to www.apple.com, FW3 etc. > > The idea is to check the Firewalls and their upstream connectivity > not the end host per se. > > To achieve this I've tried the following: > > Create 4 VLAN interfaces all on the same VLAN as the shared subnet > using alternate IP's but on different routing domains. > > i.e. Vlan no. 10 : > > hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev > bge0 rdomain 1 > hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev > bge0 rdomain 2 > hostname.vlan103 - inet 10.11.12.3 255.255.255.0 NONE vlan 10 vlandev > bge0 rdomain 3 > hostname.vlan104 - inet 10.11.12.4 255.255.255.0 NONE vlan 10 vlandev > bge0 rdomain 4 > > I then add default gateways to each routing domain i.e. > > route -T 1 default 10.11.12.50 > route -T 2 default 10.11.12.51 > route -T 3 default 10.11.12.52 > route -T 4 default 10.11.12.53 > > To achieve the monitor we then do the following and capture the > output: > > ping -V 1 www.apple.com > ping -V 2 www.apple.com > ping -V 3 www.apple.com > ping -V 4 www.apple.com > > If I create the 1st VLAN/rdomain everything works perfectly however > as soon as I add the 2nd vlan interface traffic on both vlans stops. > Destroying the 2nd vlan instance restores traffic. > > The host is running OpenBSD i386 Generic 4.7 (release). Sorry no > DMESG as yet but I can get this and anything else if need be tomorrow. > > Is what I'm trying to do possible? Any help is much appreciated.
Why not just get rid of all this VLAN system and just manually set the default route of the testing host to GW[1234] alternatively during testing ? It looks like a much simpler way of doing things. Regards, -- Stephane Sezer
