[OmniOS-discuss] Routing challlenges
jimklimov at cos.ru
Thu Apr 7 20:28:04 UTC 2016
7 апреля 2016 г. 20:50:13 CEST, "Schweiss, Chip" <chip at innovates.com> пишет:
>On Thu, Apr 7, 2016 at 12:51 PM, Michael Talbott <mtalbott at lji.org>
>> Oh, I see. Sorry about that, reading it on my phone didn't render
>> diagram properly ;)
>> The reason this is happening is because the omnios box has knowledge
>> both subnets in its routing table and it always takes the shortest
>> reach an ip destination.
>That's definitely the reason, but not correct when stateful firewalls
>> So you will need to put the "clients" in a unique subnet that always
>> passes through the firewall in both directions (in a subnet that's
>> shared by the omnios machines). Any attempt to add/modify a static
>> the omnios box to resolve this will likely fail (it'll just move the
>> problem from one network to the other one and cause your "services"
>> to route improperly).
>The problem is each person who manages these (there are 4) are also
>of the services (SMB, NFS).
>For management, going through the firewall is fine, it is low volume,
>the services need to be on the same VLAN or else the 1gb firewall will
>choke on the 10gb services.
>> Either that, or remove the firewall as a hop, set sshd to listen only
>> the management IP, and add a management vlan interface to the clients
>> allowed to connect.
>I've considered this too, but I have some floating IP attached to zfs
>in an HA cluster that SSH needs to bind to.
>Unless I can get the network stack on the management vlan to act
>independently of the other interfaces, it may come to modifying the
>sshd_config and restarting ssh each time a pool is started or stopped
>> On Apr 7, 2016, at 10:25 AM, Michael Talbott <mtalbott at lji.org>
>> It sounds like you're using the same subnet for management and
>> traffic, that would be the problem causing the split route. Give each
>> a unique subnet and traffic should flow correctly.
>> Sent from my iPhone
>> On Apr 7, 2016, at 8:52 AM, Schweiss, Chip <chip at innovates.com>
>> On several of my OmniOS hosts I have a setup a management interface
>> SSH access on an independent VLAN. There are service vlans attached
>> other nics.
>> The problem I am having is that when on privileged machine on one of
>> vlans also on the service side that has access to the management SSH
>> the TCP SYN comes in the management VLAN but the SYNACK goes out the
>> service VLAN instead of routing back out its connecting port. This
>> a split route and the firewall blocks the connection because the
>> never appears complete.
>> Traffic is flowing like this:
>> client firewall omnnios
>> 10.28.0.106 -> 10.28.0.254->10.28.125.254 -> 10.28.125.44
>> 10.28.0.106 <--------------------------------- 10.28.0.44
>> How can I cause connections to only communicate on the vlan that the
>> connection is initiated from?
>> I don't want to use the 10.28.0.44 interface because that is a
>> and will not always be on the same host.
>> OmniOS-discuss mailing list
>> OmniOS-discuss at lists.omniti.com
>OmniOS-discuss mailing list
>OmniOS-discuss at lists.omniti.com
Just in case, remember that with ipfikter on the host you can effect 'source-routing' and assign (at least non-dynamically) what router should be taken for what sort of connections. It works by blocking 'destination-routed' packets if they match your rule, and rewriting them as destined to go out of another NIC and to another gateway.
Example from work (I think I posted it more than once in the past - then if you find those discussions, they might also hold some neat ideas), this is essentially the first rule in /etc/ipf/ipf.conf (before loopbacks, allow-all-for-some and head's for complicated other rule trees):
# enforce that packets coming out of an interface go to the correct subnet
# rhetoric question: does this skip the firewall rules below in the file?
block out quick on vlan186 to vlan81:81.X.Y.1 from 81.X.Y.0/24 to any
block out quick on vlan81 to vlan186:192.168.186.1 from ! 81.X.Y.0/24 to any
Note the "!" negation in the second rule.
Typos courtesy of K-9 Mail on my Samsung Android
More information about the OmniOS-discuss