[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] vlan bridging broken?
 Date:  Sat, 8 Apr 2006 18:17:40 +0100 
Chris,

In message
<d64aa1760604080946w53587c3ak66075e8f363a940c at mail dot gmail dot com>, Chris
Buechler <cbuechler at gmail dot com> writes
>On 4/8/06, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
>>
>> Apologies for following up my own post but I've now tried with a second
>> interface in my firewall.  I can now confirm:
>>
>> 1) With a real interface as OPT1 the problem still exists.
>>
>> 2) With a real interface as WAN the problem is resolved.
>>
>
>>From a few Google Groups searches, it looks like you aren't the only
>one that's had this problem with late 4.x releases and early 5.x
>releases.  I wasn't able to find a definitive solution, but there are
>a lot of threads out there.  You might find a solution if you search
>"vlan bridging" group:*freebsd*.

Many thanks for that.  I've done some more testing and even though it
looked like it was working, it would sometimes give up the ghost!

I've now resorted to three physical NICs, all connected to different
ports on the switch, each on a different VLAN.

I believe the problem is that the vlan interfaces don't support
promiscuous mode, well it certainly doesn't appear in a ifconfig -a!

With just WAN as a physical NIC and OPT1 as a vlan, everything is OK
until the server on OPT1 learns the router on WAN's MAC address.  This
happens when a packet comes in to the router from the Internet destined
for the server on OPT1.  The router does an ARP for the server, the
server replies and also puts the router's MAC address into its ARP table
(just in case it needs it).  Once this happens then everything stops
working.

I don't entirely know why because the server should still use its
default gateway, the WAN interface of the firewall, for any traffic not
on its own broadcast domain.


Whilst I was debugging things I noticed another oddity...  On the
firewall I'd configured it to use the NTP server on my LAN by specifying
its IP address...  On the WAN interface I noticed it doing a PTR lookup
virtually every second.  Because the IP address was in the RFC1918
address range it failed to lookup every time.  As soon as I specified
the FQDN of my ISP's time server it seems to be working normally!

I always wondered my the activity light on my router was flashing every
second!  Now I know.


Many thanks,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk