Имею свежеустановленную FreeBSD 11.2 с двумя сетевыми наружу и одной в локалку (sk0). Плюс vlan на одном внешнем интерфейсе:
Код: Выделить всё
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether 00:11:2f:6e:82:b7
inet 172.16.32.64 netmask 0xffffff00 broadcast 172.16.32.255
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE>
ether 00:04:79:68:25:99
inet 172.20.31.40 netmask 0xffffff00 broadcast 172.20.31.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE>
ether 00:04:79:68:26:05
inet 172.20.31.8 netmask 0xffffff00 broadcast 172.20.31.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
groups: lo
vlan39: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:04:79:68:25:39
inet 172.20.31.39 netmask 0xffffff00 broadcast 172.20.31.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 39 vlanpcp: 0 parent interface: xl0
groups: vlan
Код: Выделить всё
net.link.ether.inet.proxyall=1
Код: Выделить всё
root@aems-64:~ # setfib 0 netstat -4rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.20.31.1 UGS xl0
127.0.0.1 link#4 UH lo0
172.16.32.0/24 link#1 U sk0
172.16.32.64 link#1 UHS lo0
172.20.31.0/24 link#2 U xl0
172.20.31.8 link#3 UHS lo0
172.20.31.39 link#5 UHS lo0
172.20.31.40 link#2 UHS lo0
root@aems-64:~ #
root@aems-64:~ # setfib 1 netstat -4rn
Routing tables (fib: 1)
Internet:
Destination Gateway Flags Netif Expire
default 172.20.31.1 UGS xl1
127.0.0.1 link#4 UH lo0
172.16.32.0/24 link#1 U sk0
172.20.31.1 00:04:79:68:26:05 UHS xl1
root@aems-64:~ #
root@aems-64:~ # setfib 2 netstat -4rn
Routing tables (fib: 2)
Internet:
Destination Gateway Flags Netif Expire
default 172.20.31.1 UGS vlan39
127.0.0.1 link#4 UH lo0
172.16.32.0/24 link#1 U sk0
172.20.31.1 00:04:79:68:25:39 UHS vlan39
root@aems-64:~ #
Код: Выделить всё
ipfw nat 8 config if xl1 log deny_in same_ports reset
ipfw nat 39 config if vlan39 log deny_in same_ports reset
root@aems-64:~ # ipfw table 8 list
172.16.32.32/32 0
root@aems-64:~ # ipfw table 39 list
172.16.32.33/32 0
Код: Выделить всё
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
60080 setfib 2 ip from table(39) to any in recv sk0
60090 setfib 1 ip from table(8) to any in recv sk0
60100 allow ip from any to any via sk0
60330 nat 8 ip from any to any out xmit xl1
60340 nat 8 ip from any to any in recv xl1
60350 nat 39 ip from any to any out xmit vlan39
60360 nat 39 ip from any to any in recv vlan39
65534 deny log ip from any to any
65535 deny ip from any to any
Код: Выделить всё
ARP, Request who-has 172.20.31.1 tell 172.20.31.8, length 46
ARP, Reply 172.20.31.1 is-at 00:11:2f:27:b5:e6, length 28
IP 172.20.31.8 > 172.20.31.1: ICMP echo request, id 512, seq 60931, length 40
IP 172.20.31.1 > 172.20.31.8: ICMP echo reply, id 512, seq 60931, length 40
IP 172.20.31.8 > 172.20.31.1: ICMP echo request, id 512, seq 61187, length 40
Делаем ping c адреса 172.16.32.33 на 172.20.31.1 (через vlan39 и таблицу маршрутизации 2). На шлюзе по-умолчанию tcpdump -nti fxp0, видно только:
Код: Выделить всё
ARP, Request who-has 172.20.31.1 tell 172.20.31.39, length 42
ARP, Request who-has 172.20.31.1 tell 172.20.31.39, length 42
ARP, Request who-has 172.20.31.1 tell 172.20.31.39, length 42
ARP, Request who-has 172.20.31.1 tell 172.20.31.39, length 42
ARP, Request who-has 172.20.31.1 tell 172.20.31.39, length 42
ARP, Request who-has 172.20.31.1 tell 172.20.31.39, length 42