[OmniOS-discuss] [FWD] Re: Routing challlenges

PÁSZTOR György pasztor at sagv5.gyakg.u-szeged.hu
Thu Apr 7 19:38:19 UTC 2016 

Hi, sorry, I forget to modify the "to", to the list..

----- Forwarded message from PÁSZTOR György <pasztor at linux.gyakg.u-szeged.hu> -----

Date: Thu, 7 Apr 2016 21:36:55 +0200
From: PÁSZTOR György <pasztor at linux.gyakg.u-szeged.hu>
To: "Schweiss, Chip" <chip at innovates.com>

Hi,

"Schweiss, Chip" <chip at innovates.com> írta 2016-04-07 10:52-kor:
> The problem I am having is that when on privileged machine on one of the
> vlans also on the service side that has access to the management SSH port
> the TCP SYN comes in the management VLAN but the SYNACK goes out the
> service VLAN instead of routing back out its connecting port.   This causes
> a split route and the firewall blocks the connection because the connection
> never appears complete.
> 
> Traffic is flowing like this:
> client                   firewall                 omnnios
> 10.28.0.106 ->   10.28.0.254->10.28.125.254  -> 10.28.125.44
> 
> 10.28.0.106  <--------------------------------- 10.28.0.44
> 
> How can I cause connections to only communicate on the vlan that the
> connection is initiated from?

The problem pretty much sounds, ... to that, where the solution would be
this, if it were a linux:
http://lartc.org/howto/lartc.rpdb.multiple-links.html

I do not know, if there is similar solution in illumos based systems.
I mean: Policy based routing. If there, then, that is the solution.

Other possible working solution:
As far as I understood the requirements, you want to serve nfs, and other
things on one 10ge interface, but let in ssh only on another subnet on a
1ge interface.
Solution a;
* create a "stub network", which is only available on the host, and zones,
* create a zone for ssh (let's call it jumpzone): which access the 1ge port
and the stub network,
* put the hosts sshd to listen only on localhost, and on the stub network
interface

Solution b;
* do not configure 10ge interface on the "host"
* create a "service" zone, which exclusively accesses the 10ge interface.
* "service" zone would be only configured to access 10.28.0

At solution b: as far as I know, newer illumos kernels supports to export
nfs and smbfs from zones, so it may work. But it may contain other gotchas
which we may not foreseen.

Or,... find docs about policy based routing on illumos.

Cheers,
Gyu

----- End forwarded message -----

More information about the OmniOS-discuss mailing list