From owner-freebsd-net@freebsd.org Wed Oct 2 09:31:44 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B9159128D01 for ; Wed, 2 Oct 2019 09:31:44 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:13b:39f::9f:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46jrW35mMjz45xt for ; Wed, 2 Oct 2019 09:31:43 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 7279D8D4A218; Wed, 2 Oct 2019 09:22:00 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id E2C8DE707B2; Wed, 2 Oct 2019 09:21:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id j6rA-A6SLmFZ; Wed, 2 Oct 2019 09:21:58 +0000 (UTC) Received: from [192.168.2.110] (unknown [IPv6:fde9:577b:c1a9:31:9079:8e32:5eb5:f2ef]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id B7668E707B0; Wed, 2 Oct 2019 09:21:57 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Alexander N. Lunev" Cc: freebsd-net@freebsd.org Subject: Re: VLAN+bridge problem [was: no network between jails and host with VNET on same interface] Date: Wed, 02 Oct 2019 09:21:56 +0000 X-Mailer: MailMate (2.0BETAr6141) Message-ID: <4A3381ED-7C78-48E2-BD1F-45B7A4A930CE@lists.zabbadoz.net> In-Reply-To: <213f9284-5ddd-4dbc-6631-f8592efa2995@zato.ru> References: <213f9284-5ddd-4dbc-6631-f8592efa2995@zato.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 46jrW35mMjz45xt X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of bzeeb-lists@lists.zabbadoz.net designates 2a01:4f8:13b:39f::9f:25 as permitted sender) smtp.mailfrom=bzeeb-lists@lists.zabbadoz.net X-Spamd-Result: default: False [-4.75 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:13b:39f::9f:25]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[zabbadoz.net]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-2.45)[ip: (-8.40), ipnet: 2a01:4f8::/29(-2.04), asn: 24940(-1.79), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Oct 2019 09:31:44 -0000 On 27 Sep 2019, at 13:31, Alexander N. Lunev via freebsd-net wrote: > Hello everyone! > > I have a strange connectivity problem on jails with VNET networking. > > I've deployed a jail system with VNET networking on a server with > FreeBSD 12.0-RELEASE-p10. Jails are working fine, can reach out outer > network and each other, but there's no connectivity between host and > jails. > > Server is connected to switch trunk port by igb1 interface, which is > bridged with epairXa interfaces in bridge0, while jails using epairXb > interfaces (they are renamed to jail0 in each jail to simplify > things). > > > ======= host ============================= > [igb1]-----------------------\ > | +---------+ > [vlan4 (10.1.1.247)] | | > | bridge0 | > /--[epair1a]----------------| | > / +---------+ > | /-[epair0a]--------------------/ > | | > ===== jail1_filter2 ====================== > | \-[jail0(ex-epair0b)] > | | > | [vlan4 (10.1.1.26)] > ===== jail2_noc ========================== > \-[jail0(ex-epair1b)] > | > [vlan4 (10.1.1.201)] > =========================================== > > > On the host and in every jail i have a vlan4 interface, and here's > addresses for those vlan4 interfaces: > > host@vlan4: 10.1.1.247 > jail1_filter2@vlan4: 10.1.1.26 > jail2_noc@vlan4: 10.1.1.201 > > Host can't ping jails, but can ping outer world. Jails can ping each > other and outer world, but not host - "ping: sendto: Host is down", > there's no ARP entry for host' vlan4 address. > > I've tried to add static arp entry for 10.1.1.247 in jails - with no > success (arp is added, network still not working). > > Host and both jails have firewall_type=OPEN configured. > > What is wrong here? I believe the problem here is not jail specific at all. I’d assume, the same would happen in other scenarios where you bridge on the host to another interface. I am assuming the VLAN interface output routine calls the igb1 output routine and the bridge never sees that packet but I haven’t looked at the vlan code in a long time. My best guess would be to try to create the VLAN interface on the host upon the bridge and not upon the physical interface. Can you try that and see if that works? /bz