if your testing host is in the same subnet as the 3 gateways' inside
interfaces, then your probe script can just overwrite the ARP entry for the
next hop to each of the gateways in turn. no need to do any layer 3 changes at
all.
/Pete
Den 24. juli 2010 kl. 12:56 skrev Philip Guenther <guent...@gmail.com>:
> On Thu, Jul 22, 2010 at 9:15 AM, <sslay...@iom.com> wrote:
> ...
>> Ok so my problem is this. We have a single monitoring host that needs to
send
>> outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote
>> address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to
>> www.apple.com, FW3 etc.
>>
>> The idea is to check the Firewalls and their upstream connectivity not the
end
>> host per se.
>>
>> To achieve this I've tried the following:
>>
>> Create 4 VLAN interfaces all on the same VLAN as the shared subnet using
>> alternate IP's but on different routing domains.
>
> Hmm. I don't think you need different routing domain, but rather only
> different routing tables. You only need to override the outbound
> routing and not create a separation behind interfaces.
>
>
>> i.e. Vlan no. 10 :
>>
>> hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev bge0
>> rdomain 1
>> hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev bge0
>> rdomain 2
>
> Umm, what? Put yourself in the kernel's position. A packet with vlan
> tag of 10 is received on the bge0 physical interface: what interface
> and routing domain should it show up in? That's a layer 2 decision
> that the kernel has to make _without_ considering the src or dest IP
> addresses. Given that, do you see why your interface definitions
> there are in conflict?
>
>
> ...
>> If I create the 1st VLAN/rdomain everything works perfectly however as soon
as I
>> add the 2nd vlan interface traffic on both vlans stops. Destroying the 2nd
vlan
>> instance restores traffic.
>
> Yeah, that meets my expectations.
>
>
>> The host is running OpenBSD i386 Generic 4.7 (release). Sorry no DMESG as
yet
>> but I can get this and anything else if need be tomorrow.
>>
>> Is what I'm trying to do possible? Any help is much appreciated.
>
> Let me make sure I understand the problem. You have a system where
> you sometimes want to route packets out an interface according to
> rules other than the normal rules, but you don't need to do any
> separation of interfaces as far as forwarding or binding of addresses
> goes? If so, then I believe you only need to create distinct routing
> tables and not actual routing domains. To do that, you need
> 1) *one* interface bound to the correct physical device and vlan,
> *in the default routing domain*,
> 2) the 'route -T' commands from your message (to create the
> alternative routing tables), and
> 3) the 'ping -V' commands from your original message (to use
> those alternatives).
>
> I also strongly advise you to upgrade to -current. No, really.
> Claudio spent a chunk of time at c2k10 helping Peter and I understand
> the distinction between rtables and rdomains...and in the process of
> explaining and then fixing the naming in the source tree, he found
> some issues in the implementation. ("If you really want to understand
> something, explain it to someone else") Here's the action shot of
> that explanation from jcr's article at undeadly.org:
> http://www.designtools.org/OpenBSD/c2k10/debate3-l.jpg
>
> You're using with something that's being actively updated by the
> developer; staying current is staying sane.
>
>
> Philip Guenther
