On 02/26/2014 02:56 PM, Michal Privoznik wrote:> On 25.02.2014 22:45, François Chenais wrote:
>> Hello
>>
>> I'm trying to setup a bridged guest on an ubuntu 13.10 but it
doesn't
>> work.
>>
>> (Everything is ok with NAT)
>>
>> Network sniffing shows that arp replies don't come back to the
guest.
>>
>>
>> Test 1
>> ------
>>
>> Guest : ping host_bridge_ip (ok)
>>
>>
>>
>> Test 2
>> ------
>>
>> Guest: ping other_lan_host (KO)
>>
>> other_lan_host
>>
>> - receives arp who-is request
>> - sends arp reply
>> - arp -a shows the guest macaddr
>>
>>
>> => Guest doesn't receive reply
>>
>>
>> Test 3
>> ------
>>
>> other_lan_host ping the Guest (KO)
>>
>> - arp -a shows "incomplete" addr
>> - Guest receives nothing
>>
>>
>> On Host
>> -------
>>
>> network tcpdump on bridge or vnet interfaces shows request but no
>> reply ...
>>
>>
>> Thanks in advance for help or ideas
>>
>>
>> François
>>
>
> I suspect firewall. By my experience 99% of network issues is caused
> by firewall. Try flushing all tables and see if that helps.
..except that firewall problems usually prevent passing IP traffic, but
not ARP requests and responses.
Can the guest ping the host? If not, then you may have something setup
incorrectly with the bridge. Send "ifconfig br0; ifconfig eth0; brctl
show" (replacing "br0" with whatever bridge device you have, and
"eth0"
with the host physical ethernet that is attached to the bridge). The
guest's vnetX (tap device) and the "eth0" should be attached to
br0 (the
bridge device), and br0 should have an IP address, but eth0 should *not*
have an IP address.
Is this host plugged into a switch port that is locked down to a
particular MAC address? You may need to get the guest's MAC address
enabled at the switch by your IT department.
Another thing to check is whether or not the ARP request is ever making
it out to the physical network device on the host - try running tcpdump
there as well. I've never encountered a Linux system that rejected
outgoing arp requests for any reason, but this sysctl makes me wonder
how that might get screwed up:
root@vlap /home/laine>sysctl -a | grep bridge
net.bridge.bridge-nf-call-arptables = 1
[...]