On Thu, Jul 22, 2010 at 9:15 AM, <[email protected]> wrote:
...
> Ok so my problem is this. We have a single monitoring host that needs to send
> outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote
> address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to
> www.apple.com, FW3 etc.
>
> The idea is to check the Firewalls and their upstream connectivity not the end
> host per se.
>
> To achieve this I've tried the following:
>
> Create 4 VLAN interfaces all on the same VLAN as the shared subnet using
> alternate IP's but on different routing domains.
Hmm. I don't think you need different routing domain, but rather only
different routing tables. You only need to override the outbound
routing and not create a separation behind interfaces.
> i.e. Vlan no. 10 :
>
> hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev bge0
> rdomain 1
> hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev bge0
> rdomain 2
Umm, what? Put yourself in the kernel's position. A packet with vlan
tag of 10 is received on the bge0 physical interface: what interface
and routing domain should it show up in? That's a layer 2 decision
that the kernel has to make _without_ considering the src or dest IP
addresses. Given that, do you see why your interface definitions
there are in conflict?
...
> If I create the 1st VLAN/rdomain everything works perfectly however as soon
> as I
> add the 2nd vlan interface traffic on both vlans stops. Destroying the 2nd
> vlan
> instance restores traffic.
Yeah, that meets my expectations.
> The host is running OpenBSD i386 Generic 4.7 (release). Sorry no DMESG as yet
> but I can get this and anything else if need be tomorrow.
>
> Is what I'm trying to do possible? Any help is much appreciated.
Let me make sure I understand the problem. You have a system where
you sometimes want to route packets out an interface according to
rules other than the normal rules, but you don't need to do any
separation of interfaces as far as forwarding or binding of addresses
goes? If so, then I believe you only need to create distinct routing
tables and not actual routing domains. To do that, you need
1) *one* interface bound to the correct physical device and vlan,
*in the default routing domain*,
2) the 'route -T' commands from your message (to create the
alternative routing tables), and
3) the 'ping -V' commands from your original message (to use
those alternatives).
I also strongly advise you to upgrade to -current. No, really.
Claudio spent a chunk of time at c2k10 helping Peter and I understand
the distinction between rtables and rdomains...and in the process of
explaining and then fixing the naming in the source tree, he found
some issues in the implementation. ("If you really want to understand
something, explain it to someone else") Here's the action shot of
that explanation from jcr's article at undeadly.org:
http://www.designtools.org/OpenBSD/c2k10/debate3-l.jpg
You're using with something that's being actively updated by the
developer; staying current is staying sane.
Philip Guenther
