From owner-freebsd-net@freebsd.org Wed Oct 28 11:31:48 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7B5A2443228 for ; Wed, 28 Oct 2020 11:31:48 +0000 (UTC) (envelope-from darcy@druid.net) Received: from mail.vex.net (mail.vex.net [98.158.139.68]) by mx1.freebsd.org (Postfix) with ESMTP id 4CLmcg4kvNz3yv5 for ; Wed, 28 Oct 2020 11:31:47 +0000 (UTC) (envelope-from darcy@druid.net) Received: from imp.druid.net (unknown [38.64.181.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: darcy) by mail.vex.net (Postfix) with ESMTPSA id DA2523E2DE for ; Wed, 28 Oct 2020 07:31:40 -0400 (EDT) To: FreeBSD Net References: <20201025204937.695be500@bsd64.grem.de> <21be1778-0567-d5b6-741a-ad620fc4fb27@druid.net> <20201026160919.2ed76939@bsd64.grem.de> <0a31052f-ce44-0a77-8424-6aba24658ab7@druid.net> <20201027195849.24a9a068@bsd64.grem.de> From: D'Arcy Cain Autocrypt: addr=darcy@druid.net; keydata= xjMEXu32OxYJKwYBBAHaRw8BAQdAD839OEQVMqCs45KVwLKg4srvl51WsVhMpTGOd9z3Ym3N HUQnQXJjeSBDYWluIDxkYXJjeUBkcnVpZC5uZXQ+wpYEExYIAD4WIQSQJTNYM0vv3aTmBCs/ 5DDweYZnXQUCXu32OwIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA/5DDw eYZnXWAxAP9cDL1j4koUFRBNQyC4iMp/cx5KnozmtsFtiTrWdZBrIwD6A2rLFx60tJryd/qp SZpXk7UPDLH/PY1hstjx9WUbXQjOOARe7fY7EgorBgEEAZdVAQUBAQdAbK0SOaTRrkI2QAWz rCz29D2RDOgGTvEbDpyWiyA5RhQDAQgHwn4EGBYIACYWIQSQJTNYM0vv3aTmBCs/5DDweYZn XQUCXu32OwIbDAUJCWYBgAAKCRA/5DDweYZnXaNOAQDC77ymNjoMZQVgDCcmgZEk6IZxn45k nyW17OYCpRctvgD9Fg3aocAbHK7V9AhmSbDPxLNQygQUPjjU7Cyn97b1cQs= Subject: Re: Bridge woes Message-ID: <6ca8956a-76d0-8d83-e1ce-015de1fcf2bd@druid.net> Date: Wed, 28 Oct 2020 07:31:39 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0 MIME-Version: 1.0 In-Reply-To: <20201027195849.24a9a068@bsd64.grem.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MJlay0mUmwnRupFwTS4RHwyQPzxU1qewr" X-Rspamd-Queue-Id: 4CLmcg4kvNz3yv5 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of darcy@druid.net has no SPF policy when checking 98.158.139.68) smtp.mailfrom=darcy@druid.net X-Spamd-Result: default: False [-2.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_SPAM_SHORT(0.04)[0.038]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.94)[-0.940]; HAS_ATTACHMENT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain,application/pgp-keys]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[druid.net]; TO_DN_ALL(0.00)[]; NEURAL_HAM_MEDIUM(-0.10)[-0.102]; SIGNED_PGP(-2.00)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:+,5:~]; ASN(0.00)[asn:19842, ipnet:98.158.139.0/24, country:CA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2020 11:31:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MJlay0mUmwnRupFwTS4RHwyQPzxU1qewr Content-Type: multipart/mixed; boundary="X2NYO6ao6VwP3S38HeU0JWult9x6HjAgy"; protected-headers="v1" From: D'Arcy Cain To: FreeBSD Net Message-ID: <6ca8956a-76d0-8d83-e1ce-015de1fcf2bd@druid.net> Subject: Re: Bridge woes References: <20201025204937.695be500@bsd64.grem.de> <21be1778-0567-d5b6-741a-ad620fc4fb27@druid.net> <20201026160919.2ed76939@bsd64.grem.de> <0a31052f-ce44-0a77-8424-6aba24658ab7@druid.net> <20201027195849.24a9a068@bsd64.grem.de> In-Reply-To: <20201027195849.24a9a068@bsd64.grem.de> --X2NYO6ao6VwP3S38HeU0JWult9x6HjAgy Content-Type: multipart/mixed; boundary="------------447DEE3E4C8ECFE948C40F54" Content-Language: en-US This is a multi-part message in MIME format. --------------447DEE3E4C8ECFE948C40F54 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 10/27/20 2:58 PM, Michael Gmelin wrote: I hope you don't mind but I reverted this conversation back to the list i= n=20 case it gives someone else any ideas. > Hi, >=20 > I tried to reproduce the problem on my home network, but things just > work as expected. >=20 > I could run VMs with IPs off the local network, fixed ones as well as > DHCP. >=20 > The topology looks a bit different: > vm->server->router ->(nat)-> internet > | > + dhcp/dns I suppose that that is essentially the same but let me see if I get it. = You=20 have a network, say 192.168.1.0/24, behind your NAT router. You have=20 physical servers like 192.168.1.1 and 192.168.1.2 on this network. You t= hen=20 put a VM on the .1 host numbered 192.168.1.3 and it can connect to=20 192.168.1.2. Is that correct? > I would speculate that there's either something going on with > the switch (you might want to take a look at it), or you're experiencin= g > some sort of asymmetric routing issue (ping/icmp is usually just fine Not sure what that could be. It's not just a problem with external hosts= =2E=20 Hosts on the same network are also showing the symptoms. Another point i= s=20 that I can access it inbound. It's only outbound connections that don't = work. > with that). Or it might be something with the bge driver (I'm using em The only server that it can connect to is running bce. I have some em=20 servers but it doesn't connect to those. > here). I assume you already tried disabling all sorts of offloading to > see if it makes a difference? Yep. I tried -tso -lro -rxcsum -rxcsum6 -txcsum -txcsum6 -vlanhwtag=20 -vlanhwtso and subsets of that. > Other than that I would suggest to play with tcpdump to see if packets > are returned on the same interface they've been sent out on or not. Here is an example packet seen on the host: 11:20:40.397067 IP 98.158.139.71.44448 > 98.158.139.66.22: Flags [S], seq= =20 3285763868, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val=20 3003762262 ecr 0], length 0 The .66 never sees the packet and the host never sees a return packet. O= n=20 the other hand, a connection attempt from .66 to the VM shows up properly= =2E > Proxy arp might play a role on a local network, that's something I've > seen in the past when I has hosts with multiple interfaces on the same > (multiple) networks. If you can afford to try it, I would see if > shutting down eth1 (and then flushing all arp tables on all > hosts/devices involved in your test) makes a difference[0]. I want to be careful about dropping eth1 as it is the only way in if I me= ss=20 up eth0. --=20 D'Arcy J.M. Cain | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner. IM: darcy@VybeNetworks.com, VoIP: sip:darcy@druid.net Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, "the intended recipient". 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it where I please. 3. I may take the contents as representing the views of your company if I so wish. 4. This overrides any disclaimer or statement of confidentiality that may be included or implied in your message. --------------447DEE3E4C8ECFE948C40F54-- --X2NYO6ao6VwP3S38HeU0JWult9x6HjAgy-- --MJlay0mUmwnRupFwTS4RHwyQPzxU1qewr Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQSQJTNYM0vv3aTmBCs/5DDweYZnXQUCX5lWmwUDAAAAAAAKCRA/5DDweYZnXW5k AQC8H3Yd5ErNa38FJxC/ZzNVbhOtHBTx0u0lKxQfDm0aBwD+On5y8SyFuo3MxOjWa6X7xYb7OBpe MREgjYoTb/bVngQ= =cInV -----END PGP SIGNATURE----- --MJlay0mUmwnRupFwTS4RHwyQPzxU1qewr--