On 02/26/2014 02:56 PM, Michal Privoznik wrote:> On 25.02.2014 22:45, François Chenais wrote: >> Hello >> >> I'm trying to setup a bridged guest on an ubuntu 13.10 but it doesn't >> work. >> >> (Everything is ok with NAT) >> >> Network sniffing shows that arp replies don't come back to the guest. >> >> >> Test 1 >> ------ >> >> Guest : ping host_bridge_ip (ok) >> >> >> >> Test 2 >> ------ >> >> Guest: ping other_lan_host (KO) >> >> other_lan_host >> >> - receives arp who-is request >> - sends arp reply >> - arp -a shows the guest macaddr >> >> >> => Guest doesn't receive reply >> >> >> Test 3 >> ------ >> >> other_lan_host ping the Guest (KO) >> >> - arp -a shows "incomplete" addr >> - Guest receives nothing >> >> >> On Host >> ------- >> >> network tcpdump on bridge or vnet interfaces shows request but no >> reply ... >> >> >> Thanks in advance for help or ideas >> >> >> François >> > > I suspect firewall. By my experience 99% of network issues is caused > by firewall. Try flushing all tables and see if that helps...except that firewall problems usually prevent passing IP traffic, but not ARP requests and responses. Can the guest ping the host? If not, then you may have something setup incorrectly with the bridge. Send "ifconfig br0; ifconfig eth0; brctl show" (replacing "br0" with whatever bridge device you have, and "eth0" with the host physical ethernet that is attached to the bridge). The guest's vnetX (tap device) and the "eth0" should be attached to br0 (the bridge device), and br0 should have an IP address, but eth0 should *not* have an IP address. Is this host plugged into a switch port that is locked down to a particular MAC address? You may need to get the guest's MAC address enabled at the switch by your IT department. Another thing to check is whether or not the ARP request is ever making it out to the physical network device on the host - try running tcpdump there as well. I've never encountered a Linux system that rejected outgoing arp requests for any reason, but this sysctl makes me wonder how that might get screwed up: root@vlap /home/laine>sysctl -a | grep bridge net.bridge.bridge-nf-call-arptables = 1 [...]
2014-02-26 15:10 GMT+01:00 Laine Stump <laine@laine.org>:> On 02/26/2014 02:56 PM, Michal Privoznik wrote: > > On 25.02.2014 22:45, François Chenais wrote: > >> Hello > >> > >> I'm trying to setup a bridged guest on an ubuntu 13.10 but it doesn't > >> work. > >> > >> (Everything is ok with NAT) > >> > >> Network sniffing shows that arp replies don't come back to the guest. > >> > >> > >> Test 1 > >> ------ > >> > >> Guest : ping host_bridge_ip (ok) > >> > >> > >> > >> Test 2 > >> ------ > >> > >> Guest: ping other_lan_host (KO) > >> > >> other_lan_host > >> > >> - receives arp who-is request > >> - sends arp reply > >> - arp -a shows the guest macaddr > >> > >> > >> => Guest doesn't receive reply > >> > >> > >> Test 3 > >> ------ > >> > >> other_lan_host ping the Guest (KO) > >> > >> - arp -a shows "incomplete" addr > >> - Guest receives nothing > >> > >> > >> On Host > >> ------- > >> > >> network tcpdump on bridge or vnet interfaces shows request but no > >> reply ... > >> > >> > >> Thanks in advance for help or ideas > >> > >> > >> François > >> > > > > I suspect firewall. By my experience 99% of network issues is caused > > by firewall. Try flushing all tables and see if that helps. > > ..except that firewall problems usually prevent passing IP traffic, but > not ARP requests and responses. > >... and tcpdump get IP traffic before FW .. and I have disable the FW ...> Can the guest ping the host?Yes : see Test 1> If not, then you may have something setup > incorrectly with the bridge. Send "ifconfig br0; ifconfig eth0; brctl > show" (replacing "br0" with whatever bridge device you have, and "eth0" > with the host physical ethernet that is attached to the bridge). The > guest's vnetX (tap device) and the "eth0" should be attached to br0 (the > bridge device), and br0 should have an IP address, but eth0 should *not* > have an IP address. > >That's OK> Is this host plugged into a switch port that is locked down to a > particular MAC address? You may need to get the guest's MAC address > enabled at the switch by your IT department. > >I'm the IT department, I'm doing those tests at home :) It's works well at work on CentOS ...> > Another thing to check is whether or not the ARP request is ever making > it out to the physical network device on the host - try running tcpdump > there as well. I've never encountered a Linux system that rejected > outgoing arp requests for any reason, but this sysctl makes me wonder > how that might get screwed up: > > root@vlap /home/laine>sysctl -a | grep bridge > net.bridge.bridge-nf-call-arptables = 1 > [...] > > > I got 0 there ...I've tried with an DSL box but, because I don't see reply on host, I suspect a special configuration. So I used an alternate switch, a netgear switch (GS608) but it fails to... I just tried with a direct cable link between the host and other_computer and ... ** it's working ... ** It seems the 2 switches don't support multiple mac on the same port !!! :/ I didn't expect this but it's not so surprising with low price hardware ... Thanks all !! François PS: do I have to change the subject with RESOLVE ?
2014-02-26 21:36 GMT+01:00 François Chenais <francois.chenais@gmail.com>:> > > > > 2014-02-26 15:10 GMT+01:00 Laine Stump <laine@laine.org>: > >> On 02/26/2014 02:56 PM, Michal Privoznik wrote: >> > On 25.02.2014 22:45, François Chenais wrote: >> >> Hello >> >> >> >> I'm trying to setup a bridged guest on an ubuntu 13.10 but it doesn't >> >> work. >> >> >> >> (Everything is ok with NAT) >> >> >> >> Network sniffing shows that arp replies don't come back to the guest. >> >> >> >> >> >> Test 1 >> >> ------ >> >> >> >> Guest : ping host_bridge_ip (ok) >> >> >> >> >> >> >> >> Test 2 >> >> ------ >> >> >> >> Guest: ping other_lan_host (KO) >> >> >> >> other_lan_host >> >> >> >> - receives arp who-is request >> >> - sends arp reply >> >> - arp -a shows the guest macaddr >> >> >> >> >> >> => Guest doesn't receive reply >> >> >> >> >> >> Test 3 >> >> ------ >> >> >> >> other_lan_host ping the Guest (KO) >> >> >> >> - arp -a shows "incomplete" addr >> >> - Guest receives nothing >> >> >> >> >> >> On Host >> >> ------- >> >> >> >> network tcpdump on bridge or vnet interfaces shows request but no >> >> reply ... >> >> >> >> >> >> Thanks in advance for help or ideas >> >> >> >> >> >> François >> >> >> > >> > I suspect firewall. By my experience 99% of network issues is caused >> > by firewall. Try flushing all tables and see if that helps. >> >> ..except that firewall problems usually prevent passing IP traffic, but >> not ARP requests and responses. >> > > ... and tcpdump get IP traffic before FW .. and I have disable the FW ... > > >> >> Can the guest ping the host? > > > Yes : see Test 1 > >> >> If not, then you may have something setup >> incorrectly with the bridge. Send "ifconfig br0; ifconfig eth0; brctl >> show" (replacing "br0" with whatever bridge device you have, and "eth0" >> with the host physical ethernet that is attached to the bridge). The >> guest's vnetX (tap device) and the "eth0" should be attached to br0 (the >> bridge device), and br0 should have an IP address, but eth0 should *not* >> have an IP address. >> > > That's OK > > > >> >> Is this host plugged into a switch port that is locked down to a >> particular MAC address? You may need to get the guest's MAC address >> enabled at the switch by your IT department. >> > > I'm the IT department, I'm doing those tests at home :) > > > It's works well at work on CentOS ... > > >> >> >> Another thing to check is whether or not the ARP request is ever making >> it out to the physical network device on the host - try running tcpdump >> there as well. I've never encountered a Linux system that rejected >> outgoing arp requests for any reason, but this sysctl makes me wonder >> how that might get screwed up: >> >> root@vlap /home/laine>sysctl -a | grep bridge >> net.bridge.bridge-nf-call-arptables = 1 >> [...] >> >> > I got 0 there ... > > > I've tried with an DSL box but, because I don't see reply on host, > I suspect a special configuration. So I used an alternate switch, > a netgear switch (GS608) but it fails to... > > > I just tried with a direct cable link between the host and other_computer > and ... ** it's working ... ** > > It seems the 2 switches don't support multiple mac on the same port !!! :/ > > > I didn't expect this but it's not so surprising with low price hardware ... >> > Thanks all !! > >> > François > > PS: do I have to change the subject with RESOLVE ? >Not at all ... I've just tried using macvlan (type bridge), which set new mac addr and ... it's working .... !!!?:/ ___ | | | 0 | /|\ | /\ | ------------- As Michal suggests, it's perhaps a bad FW configuration or maybe I forgot something in my tests or the error is SO BIG that I don't see it 8-| I'll make some new tests to understand this error Thanks a lot ...