SUMMARY: Source IP routing w/ ipfilter

From: Ray Van Dolson <rvandolson_at_esri.com> Date: Thu Mar 25 2010 - 12:27:55 EDT · This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:16 EST

Hi all, thanks for replies from:

  Michael Horton
  John Hallman
  Crist Clark

It sounds like this is currently not really possible with ipfilter.
Based on feedback I got on the ipf mailing list, it sounds like folks
_expected_ that it work and were interested in using dtrace to figure
out why it doesn't.

However, the multihome setup I'm using is most typically done when the
interfaces are on different subnets.  The way we had things set up just
wasn't really something planned for.

Recommendations are to rework the infrastructure and use IPMP/LACP if
using both physical links is truly required.

The ipf syntax I was using is correct in theory, it just doesn't do
what I'd expect.

Ray

On Mon, Mar 22, 2010 at 11:11:55PM -0700, Ray Van Dolson wrote:
> I have a Solaris 10 machine with two interfaces, both with IP's on the
> same subnet:
> 
>   igb0: 10.49.2.110/16
>   igb2: 10.49.2.111/16
> 
> Routing Table: IPv4
>   Destination           Gateway           Flags  Ref     Use     Interface 
> -------------------- -------------------- ----- ----- ---------- --------- 
> default              10.49.254.254        UG        1    6120267           
> 10.49.0.0            10.49.2.110          U         1     113322 igb0      
> 10.49.0.0            10.49.2.111          U         1          2 igb2      
> 127.0.0.1            127.0.0.1            UH        3     175197 lo0
> 
> Problem is that when traffic destined for 10.49.2.111 hits igb2, the
> replies are sent out igb0.  I want anything originating from
> 10.49.2.111 to go out igb2.
> 
> I thought source based routing with ipf might do the trick:
> 
>   pass out quick on igb0 to igb2 from 10.49.2.111 to any
> 
> However, while this rule definitely is getting matched on, the packets
> don't appear to actually go out the interface (or any interface for
> that matter).
> 
> This works:
> 
>   pass out quick on igb0 to igb2:10.49.254.254 from 10.49.2.111 to any
> 
> 10.49.254.254 is the default gateway for the 10.49 network.
> 
> However, this isn't ideal either.  Now all the packets show up at their
> destination with a src mac address of the default gateway instead of my
> Solaris box (even though the destination was another 10.49/16 host).
> 
> I've also tried "to igb2:10.49.2.111" to no avail.
> 
> Any tips?
> 
> Ray
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers