From owner-freebsd-net@freebsd.org Tue Aug 14 11:04:47 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6FA781074837 for ; Tue, 14 Aug 2018 11:04:47 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from kagate.punkt.de (kagate.punkt.de [217.29.33.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EAA408A19E for ; Tue, 14 Aug 2018 11:04:46 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from hugo10.ka.punkt.de (hugo10.ka.punkt.de [217.29.44.10]) by gate1.intern.punkt.de with ESMTP id w7EB4dRk006150 for ; Tue, 14 Aug 2018 13:04:39 +0200 (CEST) Received: from [217.29.44.49] ([217.29.44.49]) by hugo10.ka.punkt.de (8.14.2/8.14.2) with ESMTP id w7EB4dqY060426 for ; Tue, 14 Aug 2018 13:04:39 +0200 (CEST) (envelope-from hausen@punkt.de) From: "Patrick M. Hausen" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Running bridged interfaces inside VMware ESXi Message-Id: <23E68056-5CD3-4FDD-BCB5-C689A9D12AFF@punkt.de> Date: Tue, 14 Aug 2018 13:04:39 +0200 To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.3273) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2018 11:04:47 -0000 Hi all, I'm trying to deploy our "proServer" setup inside a VM that is = unfortunately not controlled by us. Problem is that I can connect to and ping the host (i.e. FreeBSD running = in the hypervisor VM), but network connectivity to a jail using VIMAGE and a bridged interface = with iocage is enervatingly flaky without a clearly visible pattern - at least to me. The VMware port group has forged transmits, MAC address changes and = promiscuous mode in the guest allowed, of course. Symtoms are: * Jail booted - not reachable from the outside * Iocage console into the jail, ping system at some remote location - = works * While that ping is running, connections from the outside *somewhat* = work * Up to the point where you can SSH into the jail, but then suddenly packets are dropped again The admin of the central (Cisco ASA) firewall at the remote site was so cooperative as to open my host (VM) and the jail transparently and disable (so he said) all IDS/IPS/deep-whatever functions for my two target addresses. I suspect problems with ARP (all IPv4 over there :-/), but I can only = tcpdump inside my VM, no access to a packet trace on the wire. We have that very same setup running in VMware in various environments. Some even maintained by someone else just like in this case. This is the first one not "just working". VMware multipathing getting in = the way? I think I know my way around these issues quite well, so I'm rather = puzzled now, and I start to think I'm missing something "too obvious". Has = anybody ever seen a problem like this? I'm simply running out of ideas at the = moment ... Thanks, Patrick --=20 punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe info@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling