From owner-freebsd-net@freebsd.org Wed Oct 28 14:28:02 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 84003447CD4 for ; Wed, 28 Oct 2020 14:28:02 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.evolve.de", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CLrX11Gc6z4Bt5 for ; Wed, 28 Oct 2020 14:28:00 +0000 (UTC) (envelope-from freebsd@grem.de) Received: by mail.evolve.de (OpenSMTPD) with ESMTP id cd4423a5; Wed, 28 Oct 2020 14:27:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=grem.de; h=content-type :content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; s=20180501; bh=sm+t9XakZk7bSB vXz2xo8la6QPM=; b=OdJzmnrehCzbPBNnBWZsuCA+8zNIVvwItZt/lQiZJcAcov X3v1rMo4glACmJxbN3jfAlEAxtTVKrdxBclZFG36OrsFgJhkXw2z9t4hatDs2yqu pfaGxucxuygM2AjxqXc8LvXvcnvSeNMa/6nnGJYDyoF5LtFeJbiSyhpA/pOWjBFq PsLR5SQO9bpQB7LGH2WD2bDWt3If39ZUrozYSA7Xl180dkiTfXHmhXzOlQ0ShCWL FiiMyxfY5WtZ6WdoLh08e7CC3DyphU5mFsoD7SQPwYE0GDUiTGUfxfuyT//dDa1U KKXESV42c71IeENG3vjyXotfjcoqrN5mSCPl+SUQ== DomainKey-Signature: a=rsa-sha1; c=nofws; d=grem.de; h=content-type :content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; q=dns; s=20180501; b=sJuPKPYd jSaLSg9NxkjXQXOkq2tSXeh7Q2NhoAV4irRyGN45gLxzxHxbXxtO6IMm5XuD7dJf ASaMuCNBYwSTyxxW1L2LXID9fhqJudhvkUwUIxgdUk6Wd9mz2OOAZKD4oNeNV0Iu lOliCuTmBZtuLRbCY1syK7p4yFn8V7Q5DwNnV11un1Y0xSaDkixHHS8THjjidJsY BGwx2AGsCEdKNs8eD9q/NTb7ayp3PFq2oJP0sfhxjcM65/LmGrX0hA1wHIGDuXsR 9sJzeuhXs5hI7V1unrkZOMBcljjEDsJfG+UPljlx283rNbEGqIe3JHSBVtxZAo2n zcCnYxx5md06HA== Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id e2f19967 (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO); Wed, 28 Oct 2020 14:27:53 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) Subject: Re: Bridge woes From: Michael Gmelin In-Reply-To: <6ca8956a-76d0-8d83-e1ce-015de1fcf2bd@druid.net> Date: Wed, 28 Oct 2020 15:27:52 +0100 Cc: FreeBSD Net Message-Id: References: <6ca8956a-76d0-8d83-e1ce-015de1fcf2bd@druid.net> To: D'Arcy Cain X-Mailer: iPhone Mail (17H35) X-Rspamd-Queue-Id: 4CLrX11Gc6z4Bt5 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=grem.de header.s=20180501 header.b=OdJzmnre; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@grem.de designates 213.239.217.29 as permitted sender) smtp.mailfrom=freebsd@grem.de X-Spamd-Result: default: False [-2.58 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[grem.de:s=20180501]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:213.239.217.29/32]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grem.de]; NEURAL_HAM_LONG(-1.01)[-1.011]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[grem.de:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.52)[-0.521]; NEURAL_HAM_MEDIUM(-1.04)[-1.044]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2020 14:28:02 -0000 > On 28. Oct 2020, at 12:32, D'Arcy Cain wrote: >=20 > =EF=BB=BFOn 10/27/20 2:58 PM, Michael Gmelin wrote: >=20 > I hope you don't mind but I reverted this conversation back to the list in= case it gives someone else any ideas. >=20 >> Hi, >> I tried to reproduce the problem on my home network, but things just >> work as expected. >> I could run VMs with IPs off the local network, fixed ones as well as >> DHCP. >> The topology looks a bit different: >> vm->server->router ->(nat)-> internet >> | >> + dhcp/dns >=20 > I suppose that that is essentially the same but let me see if I get it. Y= ou have a network, say 192.168.1.0/24, behind your NAT router. You have phy= sical servers like 192.168.1.1 and 192.168.1.2 on this network. You then pu= t a VM on the .1 host numbered 192.168.1.3 and it can connect to 192.168.1.= 2. Is that correct? >=20 >> I would speculate that there's either something going on with >> the switch (you might want to take a look at it), or you're experiencing >> some sort of asymmetric routing issue (ping/icmp is usually just fine >=20 > Not sure what that could be. It's not just a problem with external hosts.= Hosts on the same network are also showing the symptoms. Another point is t= hat I can access it inbound. It's only outbound connections that don't work= . >=20 >> with that). Or it might be something with the bge driver (I'm using em >=20 > The only server that it can connect to is running bce. I have some em ser= vers but it doesn't connect to those. >=20 >> here). I assume you already tried disabling all sorts of offloading to >> see if it makes a difference? >=20 > Yep. I tried -tso -lro -rxcsum -rxcsum6 -txcsum -txcsum6 -vlanhwtag -vlan= hwtso and subsets of that. >=20 >> Other than that I would suggest to play with tcpdump to see if packets >> are returned on the same interface they've been sent out on or not. >=20 > Here is an example packet seen on the host: >=20 > 11:20:40.397067 IP 98.158.139.71.44448 > 98.158.139.66.22: Flags [S], seq 3= 285763868, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 300376226= 2 ecr 0], length 0 >=20 > The .66 never sees the packet and the host never sees a return packet. On= the other hand, a connection attempt from .66 to the VM shows up properly. >=20 >=20 >> Proxy arp might play a role on a local network, that's something I've >> seen in the past when I has hosts with multiple interfaces on the same >> (multiple) networks. If you can afford to try it, I would see if >> shutting down eth1 (and then flushing all arp tables on all >> hosts/devices involved in your test) makes a difference[0]. >=20 > I want to be careful about dropping eth1 as it is the only way in if I mes= s up eth0. >=20 Can you (afford to) reboot the machine reliably? If so, schedule a reboot us= ing "shutdown -r +10" and then bring down the the interface to see if it mak= es a difference. -m > --=20 > D'Arcy J.M. Cain | Democracy is three wolves > http://www.druid.net/darcy/ | and a sheep voting on > +1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner. > IM: darcy@VybeNetworks.com, VoIP: sip:darcy@druid.net >=20 > Disclaimer: By sending an email to ANY of my addresses you > are agreeing that: >=20 > 1. I am by definition, "the intended recipient". > 2. All information in the email is mine to do with as I see > fit and make such financial profit, political mileage, or > good joke as it lends itself to. In particular, I may quote > it where I please. > 3. I may take the contents as representing the views of > your company if I so wish. > 4. This overrides any disclaimer or statement of > confidentiality that may be included or implied in > your message.