Re: Solaris routing reference, please?

rjohnson@xxxxxxxxxxx wrote:
On 2008-01-28 22:58:23 -0800, Andrew Deason <adeason2@xxxxxxxx> said:

On Mon, 28 Jan 2008 02:21:30 GMT
Bob Bramwell <bbramwel@xxxxxxxxxxx> wrote:

And you're not really "recreating" the interface. You need to give
the zone an IP, and associate it with a virtual interface, which is
associated with a physical interface; just like normal. When the
zone tries to send a packet, it will use that virtual interface to
calculate the route it needs to take, since that's the only
interface it has.

Right... but then there's the pre-zone-boot global zone trick:
ifconfig hme1:2 plumb
ifconfig hme1:2 XXX.YYY.ZZZ.nnn
route add default 192.168.50.1 -ifp hme1:2 # see point 4, below
ifconfig hme1:2 unplumb
I'm not 100% clear what plumb/unplumb actually do but I've always
thought of this as creating/destroying the virtual interface.

It's unnecessary. You can just `ifconfig hme1:2 down`. As far as I know
it is basically "creating/destroying" as far as internal structures go,
though.

Two points related to this. Firstly, I failed to make clear my
complete setup:
hme1 : external interface to ISP modem, DHCP managed
hme1:1 : 192.168.50.1, global zone
hme1:2 : 192.168.50.50, server zone

Whoa, there. Having them on the same machine changes a lot of things.
I've never done anything like that, so I can't really offer more advice
on that specific setup.

You may be missing packets with `snoop` because it could be trying to
go through a different interface, though (and note that anything going
through lo is un-snoop-able). That's all I can really say.

As mentioned above your physical and logical interfaces lying on a single machine doesn't really tell us a whole lot without the routing table. How are your routes defined? Post your netstat outpu


OK, here's how it goes. I've tried to keep it concise. What I am trying to do is to allow hme1 to have its IP address assigned by DHCP (although in this example it is set up statically). The virtual network 192.168.50.x is purely to insulate the non-global zones from changes to the network routing that may occur because DHCP comes up with a new address. I expect packets sent to one interface to be forwarded to another (because ip_forwarding is turned on) as appropriate. The puzzle for me is why I cannot even ping the two "real" IP addresses (on hme0 and hme1) from the webzone.

Thanks for spending so much time on this nonsense. I seriously suspect this isn't going to work but I really would like to understand why not.

And now our feature presentation
.. . . . . . . . . . . . . . . . .

Starting conditions:

global : hme0 = 192.168.20.12
global : hme1 = 192.168.10.50
datazone: hme1:1 = 192.168.50.52
webzone : hme1:2 = 192.168.50.51
global : hme1:3 = 192.168.50.1

datazone: running
webzone: halted


# ndd /dev/ip ip_forwarding
1
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone datazone
inet 127.0.0.1 netmask ff000000
hme0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2
inet 192.168.20.12 netmask ffffff00 broadcast 192.168.20.255
ether 8:0:20:c2:8:f4
hme1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3
inet 192.168.10.50 netmask ffffff00 broadcast 192.168.10.255
ether 8:0:20:c2:8:f5
hme1:1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3
zone datazone
inet 192.168.50.52 netmask ffffff00 broadcast 192.168.50.255
hme1:3: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3
inet 192.168.50.1 netmask ffffff00 broadcast 192.168.50.255

# ifconfig hme1:2 plumb
# ifconfig hme1:2 192.168.50.51 up
# route add default 192.168.50.1 -ifp hme1:2
add net default: gateway 192.168.50.1
# ifconfig hme1:2 down

# netstat -ran

Routing Table: IPv4
Destination Gateway Flags Ref Use I'face
-------------------- -------------------- ----- ----- ---------- ------
default 192.168.10.1 UG 1 3
default 192.168.50.1 UG 1 0 hme1
192.168.10.0 192.168.10.50 U 1 2 hme1
192.168.20.0 192.168.20.12 U 1 0 hme0
192.168.50.0 192.168.50.1 U 1 0 hme1:3
224.0.0.0 192.168.10.50 U 1 0 hme1
0.0.0.0 192.168.20.12 UHB 1 0 hme0
0.0.0.0 192.168.20.12 UHB 1 0 hme0
0.0.0.0 192.168.10.50 UHB 1 0 hme1
0.0.0.0 192.168.10.50 UHB 1 0 hme1
192.168.10.50 -- UHL 1 7 hme1
192.168.10.0 192.168.10.50 UHB 1 0 hme1
192.168.10.0 192.168.10.50 UHB 1 0 hme1
192.168.10.1 -- UHA 1 10 hme1
192.168.10.255 192.168.10.50 UHB 1 0 hme1
192.168.10.255 192.168.10.50 UHB 1 0 hme1
192.168.1.2 192.168.10.1 UHA 1 1 hme1
192.168.50.0 192.168.50.1 UHB 1 0 hme1:3
192.168.50.0 192.168.50.1 UHB 1 0 hme1:3
192.168.50.1 -- UHL 1 0 hme1:3
192.168.50.255 192.168.50.1 UHB 1 0 hme1:3
192.168.50.255 192.168.50.1 UHB 1 0 hme1:3
192.168.20.12 -- UHL 1 0 hme0
192.168.20.0 192.168.20.12 UHB 1 0 hme0
192.168.20.0 192.168.20.12 UHB 1 0 hme0
192.168.20.255 192.168.20.12 UHB 1 0 hme0
192.168.20.255 192.168.20.12 UHB 1 0 hme0
255.255.255.255 192.168.20.12 UHB 1 0 hme0
255.255.255.255 192.168.20.12 UHB 1 0 hme0
255.255.255.255 192.168.10.50 UHB 1 0 hme1
255.255.255.255 192.168.10.50 UHB 1 0 hme1
127.0.0.1 127.0.0.1 UH 1 4 lo0

# zoneadm -z webzone boot
zoneadm: zone 'webzone': WARNING: hme1:4: no matching subnet found in netmasks(4) for 192.168.50.51; using default of 255.255.255.0.
# zoneadm -z webzone halt

# ifconfig hme1:2 unplumb

# zoneadm -z webzone boot
zoneadm: zone 'webzone': WARNING: hme1:2: no matching subnet found in netmasks(4) for 192.168.50.51; using default of 255.255.255.0.
# netstat -ran

Routing Table: IPv4
Destination Gateway Flags Ref Use I'face
-------------------- -------------------- ----- ----- ---------- ------
default 192.168.10.1 UG 1 3
default 192.168.50.1 UG 1 0 hme1
192.168.10.0 192.168.10.50 U 1 2 hme1
192.168.20.0 192.168.20.12 U 1 0 hme0
192.168.50.0 192.168.50.1 U 1 0 hme1:3
224.0.0.0 192.168.10.50 U 1 0 hme1
0.0.0.0 192.168.20.12 UHB 1 0 hme0
0.0.0.0 192.168.20.12 UHB 1 0 hme0
0.0.0.0 192.168.10.50 UHB 1 0 hme1
0.0.0.0 192.168.10.50 UHB 1 0 hme1
192.168.10.50 -- UHL 1 7 hme1
192.168.10.0 192.168.10.50 UHB 1 0 hme1
192.168.10.0 192.168.10.50 UHB 1 0 hme1
192.168.10.1 -- UHA 1 10 hme1
192.168.10.255 192.168.10.50 UHB 1 0 hme1
192.168.10.255 192.168.10.50 UHB 1 0 hme1
192.168.1.2 192.168.10.1 UHA 1 1 hme1
192.168.50.0 192.168.50.1 UHB 1 0 hme1:3
192.168.50.0 192.168.50.1 UHB 1 0 hme1:3
192.168.50.1 -- UHL 1 0 hme1:3
192.168.50.255 192.168.50.1 UHB 1 0 hme1:3
192.168.50.255 192.168.50.1 UHB 1 0 hme1:3
192.168.20.12 -- UHL 1 0 hme0
192.168.20.0 192.168.20.12 UHB 1 0 hme0
192.168.20.0 192.168.20.12 UHB 1 0 hme0
192.168.20.255 192.168.20.12 UHB 1 0 hme0
192.168.20.255 192.168.20.12 UHB 1 0 hme0
255.255.255.255 192.168.20.12 UHB 1 0 hme0
255.255.255.255 192.168.20.12 UHB 1 0 hme0
255.255.255.255 192.168.10.50 UHB 1 0 hme1
255.255.255.255 192.168.10.50 UHB 1 0 hme1
127.0.0.1 127.0.0.1 UH 1 4 lo0

# ping 192.168.1.2
192.168.1.2 is alive
# zlogin webzone
[Connected to zone 'webzone' pts/1]
Last login: Mon Feb 11 21:53:29 on pts/1
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# netstat -ran

Routing Table: IPv4
Destination Gateway Flags Ref Use I'face
-------------------- -------------------- ----- ----- ---------- ------
default 192.168.50.1 UG 1 0 hme1
192.168.50.0 192.168.50.51 U 1 0 hme1:2
224.0.0.0 192.168.50.51 U 1 0 hme1:2
0.0.0.0 192.168.50.51 UHB 1 0 hme1:2
0.0.0.0 192.168.50.51 UHB 1 0 hme1:2
192.168.50.0 192.168.50.51 UHB 1 0 hme1:2
192.168.50.0 192.168.50.51 UHB 1 0 hme1:2
192.168.50.51 -- UHL 1 7 hme1:2
192.168.50.255 192.168.50.51 UHB 1 0 hme1:2
192.168.50.255 192.168.50.51 UHB 1 0 hme1:2
255.255.255.255 192.168.50.51 UHB 1 0 hme1:2
255.255.255.255 192.168.50.51 UHB 1 0 hme1:2
127.0.0.1 127.0.0.1 UH 9 42 lo0:2

# ifconfig -a
lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
hme1:2: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3
inet 192.168.50.51 netmask ffffff00 broadcast 192.168.50.255

# ping 192.168.1.2
ICMP Host Unreachable from gateway 192.168.50.51
for icmp from 192.168.50.51 to 192.168.1.2
ICMP Host Unreachable from gateway 192.168.50.51
for icmp from 192.168.50.51 to 192.168.1.2
ICMP Host Unreachable from gateway 192.168.50.51
for icmp from 192.168.50.51 to 192.168.1.2
^C# ping 192.168.50.1
192.168.50.1 is alive
# ping 192.168.10.50
no answer from 192.168.10.50
# ping 192.168.20.12
no answer from 192.168.20.12
.

Relevant Pages

  • Re: Solaris routing reference, please?
    ... the zone an IP, and associate it with a virtual interface, which is ... associated with a physical interface; ... ifconfig hme1:2 XXX.YYY.ZZZ.nnn ...
    (comp.unix.solaris)
  • Re: Routing, Bridging and VPN
    ... In shorewall you generaly define one ZONE for each interfacace like ... Port 5000 i use for incoming VPN conections. ... create interface tun0, that you use in shorewall configuration. ...
    (Debian-User)
  • Re: folder deleted
    ... The zone is not single label ... I would first suggest to remove the PPP interface. ... That is another non-recommended service on a domain controller. ... I suggest that if the two NICs are of the same namebrand and model. ...
    (microsoft.public.windows.server.dns)
  • Re: Small office firewall/vpn/security appliance
    ... > of trusted" lan for a guest wireless segment and a second DMZ on which I ... zone, then building all your policies on zones. ... You could put the WAP and the NM server on the same subnet on WAN2. ... called DMZ2 using the WAN2 interface. ...
    (comp.security.firewalls)
  • Re: Solaris routing reference, please?
    ... when a default route is specified it is associated with an interface ... When the zone ... So my plan was to have the server zone provided with a default route to 192.168.50.1. ...
    (comp.unix.solaris)