From owner-freebsd-net@FreeBSD.ORG Wed Oct 27 00:04:38 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD0FE106566B for ; Wed, 27 Oct 2010 00:04:38 +0000 (UTC) (envelope-from dave.evans55@googlemail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5F68F8FC21 for ; Wed, 27 Oct 2010 00:04:37 +0000 (UTC) Received: by bwz3 with SMTP id 3so78328bwz.13 for ; Tue, 26 Oct 2010 17:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:x-enigmail-version:content-type :content-transfer-encoding; bh=Jg3j6At2uzXiE1jjgSQwAW0nuYRjTWUfgQsHoxqGsTM=; b=D1tIcbm2ONmdX6SWILytET8G72diAd63H3BN9gItYwZEWkah9NyXzCc/DudnfFFXM8 5wkBJdyDlMvBw8xVHdbNcJVg/OcsHmeiTY5MIWGYGz6CFALRuh4qEgZu6S3FgcL+coHg M/L9dnK+Ed//iLmFs5YEzjIebqRWloo5UzAoE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; b=N/R4mSVj1NgEkR7891Ax0gVMGYkiR0C/T5ka54Uqk9jNaxT+8vSrbqN4IuuIeyc8jJ kzJ7IDx97y0KhuC4PA6ycZD9vpkKBZXY7Cn8RRbqNqtVPIVzqBRg/jWMnQnKd+s83sHW diMCCBKq1RLu9+xWAIaO4D1p/8jjjYF0z1sI0= Received: by 10.204.118.12 with SMTP id t12mr6688094bkq.179.1288136190247; Tue, 26 Oct 2010 16:36:30 -0700 (PDT) Received: from two.pearl (dsl-fixed-77-44-81-131.interdsl.co.uk [77.44.81.131]) by mx.google.com with ESMTPS id r21sm6418841bkj.22.2010.10.26.16.36.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 26 Oct 2010 16:36:29 -0700 (PDT) Message-ID: <4CC765FA.20202@googlemail.com> Date: Wed, 27 Oct 2010 00:36:26 +0100 From: David Evans User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5 MIME-Version: 1.0 To: FreeBSD Net X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Bridge problems, possibly due to proxy arp on Parallels Desktop X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Oct 2010 00:04:38 -0000 Summary To make a ping from a OpenVPN client using TAP work, I have to set the bridge interface manually using "ifconfig bridge0 static tap0 " on the server. My setup Host 3dosexp IP 192.168.0.220 on tap0 FreeBSD 8.1, OpenVPN client using tap0 interface This is a Virtual Machine on Parallels Desktop 6.0 for Mac OS X It has one virtual NIC which is on Desktop host-only network which is used for the the encrypted channel for OpenVPN Host Eight IP 192.168.0.8 on bridge0. FreeBSD 8.1, OpenVPN server using bridged networking. This is another VM on Desktop. It has one virtual NIC on host-only networking which is used for the other end of the OpenVPN link. It has another NIC on Desktop bridged networking (not the same as OpenVPN) with IP 192.168.0.8 on interface em0 Host Two IP 192.168.0.2 on en1 Mac OS X 10.6 This is a real machine. Interface en1 is bridged by Desktop en1 is a wifi interface. It connects to:- Router One IP 192.168.0.1 Netgear DG834G wireless and 4-port router. Host 3dos IP 192.168.0.250 on vr0 PC running FreeBSD 8.1 i386 Connected via cable to the router. It is destined to become a VPN server in a small office when the networking starts working. ---------- Problem One Pinging from Host 3dosexp to Host Two does not work. Running "ifconfig bridge0 addr" on host Eight to see what interfaces are used for which ethernet address shows that all interfaces are set to em0. Setting a static interface to tap0 for the ethernet address assigned to tap0 on host 3dosexp makes the ping work. ( using "ifconfig bridge0 static tap0 <3dosexp-ethernet-address>" ) Running "ifconfig bridge0 flushall" on host Eight stops the ping working. "ifconfig bridge0 addr" shows the ethernet address for host 3dosexp is now set back to interface em0. ---------- Problem two Run the command for setting the static interface as described in problem one. Trying a ping from host 3dosexp (VPN client) to host 3dos ( attached to the router) does not work. Ping responds with "ping: sendto: Host is down" On host Eight (the VPN server) running tcpdump on interface em0 shows that there are arp requests "Who has 192.168.0.250 tell 192.168.0.220" and arp replies from host 192.168.0.250. The destination of the arp replies is the ethernet address of interface em0. The replies never get through the bridge and out onto interface tap0. That's almost true, but sometimes something seems to flip and ping starts sending ICMP echo requests. Again, looking at the interfaces with tcpdump shows ICMP requests and replies on interface em0. The replies have an ethernet destination of the ethernet address of em0. Surely they should be destined for host 3dosexp (the client). The replies do not make it through the bridge. I suspect at the moment that this is something to do with Desktop bridged networking using Proxy ARP between the virtual and real networks. ------------ ifconfig for host Eight (the VPN server) em0: flags=8943 metric 0 mtu 1500 options=98 ether 00:1c:42:01:3f:6c media: Ethernet autoselect (1000baseT ) status: active em1: flags=8843 metric 0 mtu 1500 options=9b ether 00:1c:42:f2:f0:b0 inet 10.37.129.3 netmask 0xffffff00 broadcast 10.37.129.255 media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 nd6 options=3 tap0: flags=8943 metric 0 mtu 1500 options=80000 ether 00:bd:75:26:00:00 Opened by PID 1391 bridge0: flags=8843 metric 0 mtu 1500 ether 6e:67:0a:b1:17:91 inet 192.168.0.8 netmask 0xffffff00 broadcast 192.168.0.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143 ifmaxaddr 0 port 4 priority 128 path cost 2000000 member: em0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 20000 --------- bridge startup script (immediately after reboot has finished) #!/bin/sh ifconfig tap0 down ifconfig bridge0 down ifconfig bridge0 destroy ifconfig tap0 destroy ifconfig tap0 create ifconfig tap0 up ifconfig em0 up ifconfig bridge0 create ifconfig bridge0 addm em0 addm tap0 up ifconfig bridge0 inet 192.168.0.8 netmask 255.255.255.0 --------- routing tables Internet: Destination Gateway Flags Refs Use Netif Expire 10.37.129.0/24 link#2 U 1 165 em1 10.37.129.3 link#2 UHS 0 0 lo0 127.0.0.1 link#3 UH 0 0 lo0 192.168.0.0/24 link#5 U 0 49 bridge 192.168.0.8 link#5 UHS 0 0 lo0