netbsd-users: Forwarding issue

Subject: Forwarding issue
To: None <netbsd-users@netbsd.org>
From: Peter Eisch <peter@boku.net>
List: netbsd-users
Date: 11/15/2007 12:55:20
3.1.x system, i386 if it matters, with six network interfaces (2 bge, 4 wm).
There are 60 vlan interfaces (across 1 bge & 3 wm) which fold down to 15
bridges with a tap for each bridge.  There's some ipnat, some ipfilter, some
altq and otherwise a typical router.  Everything works great, has for weeks,
except... 

I have an address on bge0 (ipf passes all in & out) and the router can talk
to everything on the LAN (let's call LAN-A) off bge0.  If I try to connect
to a system on LAN-A from any system on the other interfaces, the packets
never get forwarded out bge0.  For inbound traffic off LAN-A to any system
other than the router I see the packets when tracing bge0 but they never get
forwarded out any of the other interfaces.

It's as though ip-forward is off for that one interface.

The 'netstat -rn' looks right, there are no rules that prohibit any traffic
between the LANs, and all the masks and subnets check out.

      C-|
 B--|   |   |---A (bge0)
    |---R---|
        |
        |---Internet (wm2)

  B & C are off bridged vlans and can access the Internet just fine through
R.  R can talk to everything on the LAN common to A as well as everything
else internal and public.  Neither B nor C can connect to A and A can
connect to neither B nor C.  Traffic between B & C flows fine as well.

I even tried putting R's address on the LAN common with A into a bridge with
a vlan, but it still refused to forward.  The networks for each segment are
B = 10.1.100.0/24; C = 10.1.200.0/24; A = 10.0.101.0/24.  There are other
10's like B & C but they're no more special and everything except the
Internet uses a /24 mask.

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        capabilities=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
        enabled=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
        address: 00:06:5b:fd:a0:28
        media: Ethernet autoselect (1000baseT
full-duplex,flowcontrol,rxpause,txpause)
        status: active
        inet 10.0.101.60 netmask 0xffffff00 broadcast 10.0.101.255
        inet6 fe80::206:5bff:fefd:a028%bge0 prefixlen 64 scopeid 0x1

I'm open to any and all thoughts, ideas, ridicule or encouragement.

Thank you,

peter