Re: IPv6 routes leaking between FIBs?
On Dec 29, 2014, at 1:28 AM, Julian Elischer jul...@freebsd.org wrote: to some extent this is what it was written for.. teh fib code was written for Ironport/Cisco for separating the management port from the data ports onn their appliances, however the VNET code that came later is an even cleaner way of doing it and FIBs were only used by Ironport because VNET was not yet available.Have you tried vnet jails for interface isolation? I freely admit that I haven’t. I’m just coming over to FreeBSD and while I’m aware of jails, I thought of them more as service isolation than for routing. I’m searching around for a moment, and I’m not 100% sure this is going to work for my use case. Can you confirm that jails would be the most appropriate way to solve my problem? These are the major requirements: - A router/firewall that will perform NAT from an internal RFC1918 space to public IPv4, as well as stateful firewalling of IPv6 packets passed to it. - 3 interfaces: 1) Transit interface (10g, packets to/from PF are received/sent on this interface) 2) PFsync (to connect to a second box for active-active PF) 3) Management (LAN side only) - Separate routing tables for the transit and management interfaces, so that the transit interface can have a default route that is distinct from that of the management network. It sounds to me that if I ran this as a jail, I’d need to throw the 10g transit interface and the pfsync interface into the jail, and leave the management interface on the host. I’d probably need to run PF in the jail as well? Or are we just using the jail to isolate the routing tables, and I’d still run PF on the host? I’m happy to provide more details on the setup in case there’s a better way to architect this. I’m a Debian/OpenBSD guy, so I’m sorry if I don’t have all the terminology sorted out yet... I will still file a bug against the FIB code, as it sounds like that’s not working as intended/designed. Thanks, Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPv6 routes leaking between FIBs?
On Dec 29, 2014, at 2:34 PM, Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote: pf and VNETs are a cause for panic at the moment; don’t go that route (yet). Good to know. With that in mind, I think my best workaround for now is to disable IPv6 on the management interface, leaving the transit interface as the only one with a v6 address assigned. This effectively isolates it from the rest of the box, and I’ll just have to manage the box itself via v4 for the time being until the v6 fibs get fixed. Meanwhile, I’ve created PR 196361 to track the underlying issue: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196361 I’ll keep working to spin up PF on the box and I’ll let you know if I bump into any other issues. Thanks for the guidance, Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
IPv6 routes leaking between FIBs?
Hello, Trying out FreeBSD for the first time to build a firewall box that’s multi-core and runs PF. I’m very interested in the FIB code, as it lines up well with the way my core networking equipment works and should allow me to route traffic on an interface that’s logically separate from the management interfaces. I’ve been playing for a bit with the FIB features, but I’m getting hung up on IPv6. I’m trying to set up two interfaces on my box to each have a different FIB, and to not leak routes between the interfaces: # sysctl net.add_addr_allfibs=0 # ifconfig em1 inet 192.0.2.1/24 fib 1 # ifconfig em1 inet6 2001:db8:dead:beef::1/64 fib 1 # ifconfig em2 inet 203.0.113.1/24 fib 2 # ifconfig em2 inet6 2001:db8:cafe:babe::1/64 fib 2 If I then check the routing tables for each FIB, here’s what I get: # setfib -F 1 netstat -rn Routing tables (fib: 1) Internet: DestinationGatewayFlags Netif Expire 192.0.2.0/24 link#2 U em1 192.0.2.1 link#2 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:dead:beef::/64 link#2U em1 2001:db8:dead:beef::1 link#2UHS lo0 fe80::%em1/64 link#2U em1 fe80::a00:27ff:fef6:162a%em1 link#2UHS lo0 fe80::%em2/64 link#3U em2 fe80::%lo0/64 link#5U lo0 # setfib -F 2 netstat -rn Routing tables (fib: 2) Internet: DestinationGatewayFlags Netif Expire 203.0.113.0/24 link#3 U em2 203.0.113.1link#3 UHS lo0 Internet6: Destination Gateway Flags Netif Expire 2001:db8:cafe:babe::/64 link#3U em2 2001:db8:cafe:babe::1 link#3UHS lo0 2001:db8:dead:beef::/64 link#2U em1 fe80::%em1/64 link#2U em1 fe80::%em2/64 link#3U em2 fe80::a00:27ff:fe62:d267%em2 link#3UHS lo0 fe80::%lo0/64 link#5U lo0 Note that as expected, the IPv4 routes are constrained to their FIB (192.0.2.0 to FIB 1 and 203.0.113.0 to FIB 2). However, the IPv6 routes (deadbeef and cafebabe) leak between the FIBs; both prefixes that I add are listed in both FIBs (as well as the link-local stuff). According to: https://www.freebsd.org/news/status/report-2012-01-2012-03.html#Multi-FIB:-IPv6-Support-and-Other-Enhancements IPv6 parity is claimed for the FIB code, so I’m not sure if I’m doing it wrong, or if there’s a problem with the FIB code and IPv6 routes. Thanks in advance for any help or clarification! Jason ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org